Jump to content

PCAntimalware 4.1.288.0


Recommended Posts

Hello all:

I was on Yahoo using firefox on Friday reading my mail when all of a sudden I get the standard Rogue anti vir popup. I closed everything with alt+f4 and immediately deleted all my temp files. I proceeded to scan with Mbam and AVG.

rebooted to safe mode and did another mbam scan. found several infections. after rebooting all seems ok for about 10 minutes or so then sudenly I get the "your computer is at risk" popup from the task bar and an odd looking shield that calls itself "Windows Firewall" it wants to install "PCAntimalware 4.1.288.0" if clicked it shows an installer. if you cancel int installed about 15 to 20 fake folders and quits. nothing I have tried has worked to remove the installer. I cannot seem to find the process it is running. it does not run in safe mode so I will do a selective startup next and try to see where it's hiding.

mbam removes everything but the installer. AVG doesnt see it, nor does SpybotS&D or CCleaner. Hijackthis won't even install so I will try that in safe mode again.

mbam and HJT log below

Malwarebytes' Anti-Malware 1.37

Database version: 2198

Windows 5.1.2600 Service Pack 3

6/1/2009 12:29:34 PM

mbam-log-2009-06-01 (12-29-28).txt

Scan type: Quick Scan

Objects scanned: 90917

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 25

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> No action taken.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> No action taken.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> No action taken.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> No action taken.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> No action taken.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:00:28 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\Windows Live\Mail\wlmail.exe

D:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

D:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 8862 bytes

Link to post
Share on other sites

  • Staff

Hi,

From your log I see no action was taken. Also, I see that the cleanup script was never run either, most probably because you never rebooted, or because your teatimer blocked it, so... I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Then, rerun malwarebytes again and post the new log together with a new hijackthislog.

Link to post
Share on other sites

I posted the wrong log.

here is the correct mbam and hjt logs after I restarted and scanned again the same files come up as infected within 10 minutes

Malwarebytes' Anti-Malware 1.37

Database version: 2198

Windows 5.1.2600 Service Pack 3

6/1/2009 2:12:11 PM

mbam-log-2009-06-01 (14-12-11).txt

Scan type: Quick Scan

Objects scanned: 89834

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 24

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> Quarantined and deleted successfully.

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:30:19 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\system32\rundll32.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: (no name) - {F58FF278-2198-403b-9170-C95022A194C6} - (no file)

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 8773 bytes

Link to post
Share on other sites

  • Staff

Hi,

Can you also update please, because you're a couple of defs behind.

Then rerun the scan and post the new logs in your next reply.

Also, as I already said in my previous post, please read the instructions to disable Teatimer, because I see it's still up and running which explains why malwarebytes can't properly finish its job.

Link to post
Share on other sites

Hello Miekiemoes:

Thank you for taking the time to help me with this.

I updateded mbam fist thing this morning but I think it failed though no indication to me. I updated again just now. I also tried to disable the teatimer when you asked the first time but it did not go so I uninstalled S&D for now. I dont use it often anyhow. I have Two mbam logs here

The first was after I updated everything , scanned then rebooted

the second is after the reboot

then the latest HJT

Malwarebytes' Anti-Malware 1.37

Database version: 2209

Windows 5.1.2600 Service Pack 3

6/1/2009 2:43:32 PM

mbam-log-2009-06-01 (14-43-32).txt

Scan type: Quick Scan

Objects scanned: 90647

Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 25

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> Quarantined and deleted successfully.

Mbam #2

Malwarebytes' Anti-Malware 1.37

Database version: 2209

Windows 5.1.2600 Service Pack 3

6/1/2009 2:52:15 PM

mbam-log-2009-06-01 (14-52-15).txt

Scan type: Quick Scan

Objects scanned: 90703

Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 24

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:53:36 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

D:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 8487 bytes

Link to post
Share on other sites

  • Staff

Hi,

Your logs are confusing, because normally, after a second scan, the logs should come up clean. But i see it didn't delete anything?

This doesn't make sense though... it's supposed to delete what it found unless your Windows got severly damaged in a meanwhile where registry access and file access got corrupted... or you're performing a "last known good" after every boot.

In anyway, it all doesn't make sense when I see your logs..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - HKCU\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new HijackThislog in your next reply.

Link to post
Share on other sites

Believe me I understand how confusing this is.

Let me say this. If I rerun a mbam scan without rebooting it comes up clean. but once I reboot.......it's all back.

here is the HJT log Before reboot

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:10:45 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 7443 bytes

Link to post
Share on other sites

  • Staff

This entry is set:

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

This means it will run once after reboot and clean what it found. It will then erase that entry.

So please do NOT run malwarebytes again, but just reboot only.

After reboot, rescan with HijackThis and post a new log in your next reply (HijackThislog). Do not run malwarebytes in between, because it will confuse again and I want to see here first if this is a registry corruption or not.

Link to post
Share on other sites

here you go

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:20:34 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 7310 bytes

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.37

Database version: 2209

Windows 5.1.2600 Service Pack 3

6/1/2009 3:27:25 PM

mbam-log-2009-06-01 (15-27-25).txt

Scan type: Quick Scan

Objects scanned: 90859

Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

That did it. I had to uninstall malwarebytes and reinstall the latest version. I downloaded it to a flash drive on another computer. the updater would look as though it was working but never updated the version. stopped by the rogue no doubt.

I Thank you for your help

Link to post
Share on other sites

  • Staff

No need for the screenshots :)

Glad I could help. :huh:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.