Jump to content

malwarebytes cant remove even after reboot!


Recommended Posts

this is what i got from malwarebytes after scan!

Malwarebytes' Anti-Malware 1.36

Database version: 2178

Windows 5.1.2600 Service Pack 1

6/3/2009 12:39:36 AM

mbam-log-2009-06-03 (00-39-36).txt

Scan type: Quick Scan

Objects scanned: 123298

Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

the values which it says have deleted keeps coming as soon as i reboot and malare is not able to delete it after many attempts..i even tried combofix..but it too didnt helped me...what should i do now?

Link to post
Share on other sites

  • Staff
.i even tried combofix..but it too didnt helped me...what should i do now
If those policies appear everytime again, then it means that there's other malware still active and running. Unfortunately I can't do anything with the above log. Above log only shows what it detected, it doesn't show me what is still present there.

Since you have used Combofix, please post its log, because you say that Combofix didn't help you, but how is it supposed to help you if it may only be used under supervision because we need to see the logs to instruct what to remove.

Link to post
Share on other sites

well....here is my hijack this log now!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:19:17 PM, on 6/5/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS2\System32\smss.exe

C:\WINDOWS2\system32\winlogon.exe

C:\WINDOWS2\system32\services.exe

C:\WINDOWS2\system32\lsass.exe

C:\WINDOWS2\system32\svchost.exe

C:\WINDOWS2\system32\svchost.exe

C:\WINDOWS2\System32\svchost.exe

C:\WINDOWS2\system32\spoolsv.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS2\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\PROGRA~1\Yahoo!\MESSEN~1\yupdater.exe

C:\WINDOWS2\System32\svchost.exe

C:\DOCUME~1\Trishul\LOCALS~1\Temp\cdxuy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1E3C618B-E64B-4F97-8235-8944EEF950E3}: NameServer = 218.248.240.208 218.248.240.135

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: NetVeda Safety.Net (ipcSvc) - NetVeda LLC - C:\Program Files\NetVeda\Safety.Net\ipcsvc.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--

End of file - 3483 bytes

now can u help me from start? still my taskmanager and regedit are disabled!

Link to post
Share on other sites

  • Staff

Hi,

I have the bad feeling that you are dealing with the Sality Virus here - also since I see random exe files running from your Temp folder. If that is the case, then a format and reinstall is unfortunately the only option that makes sense.

Sality is a file infector and infects legitimate files, so the infected files may not be deleted, but disinfected instead. So only an Antivirus can do that. But the problem here is, Sality is a buggy virus and may misinfect files and because of that, it cannot disinfect infected files either, because it will corrupt them.

Also see here... http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Also the fact that your Windows is unpatched really doesn't make it worth it. Unpatched Windows get reinfected immediately again, no matter what... so we would be both wasting our time.

Anyway, the only way to find out if you are dealing with Sality is to install an Antivirus (since you don't have an Antivirus installed here). In case you can't even install an Antivirus (known one), then I'm 100% sure it's Sality or a variant here, because Sality blocks them.

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.