Jump to content

Recommended Posts

I have run malwarebytes several times with two infections being found then i deleting them. After i restart and run it again the same two infections appear. I know little about computers and would appreciate any help that is availible to me. The logs are as follows. Thanks!

Malwarebytes' Anti-Malware 1.35

Database version: 1909

Windows 5.1.2600 Service Pack 1

7/28/2009 8:31:01 PM

mbam-log-2009-07-28 (20-31-01).txt

Scan type: Quick Scan

Objects scanned: 80860

Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:58:58 PM, on 7/28/2009

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Atievxx.exe

c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Cox\Applications\app\Console.exe

C:\Program Files\AOpen Wireless LAN\AOI-701R\WlanMonitor.exe

c:\Program Files\Cox\Applications\App\syssvcnt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodeisland.cox.net/

O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)

O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll

O2 - BHO: Flash Module - {E8CD09B0-BA55-4157-9E84-6B4B1C89B9A0} - sockver1.dll (file missing)

O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll

O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\DOCUME~1\Mike\LOCALS~1\Temp\mstsk32.dll (file missing)

O3 - Toolbar: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - C:\Documents and Settings\Mike\sthbdm32.dll

O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\DOCUME~1\Mike\LOCALS~1\Temp\svhc32.dll (file missing)

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\System32\winsys32.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9

B1894E754BE54C29159A7DA781DA6650639C3A4827B144

O4 - HKLM\..\Run: [tejewu] C:\Program Files\Windows NT\tejewu77798.exe

O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe

O4 - HKLM\..\Run: [bxproxy] C:\Documents and Settings\Mike\winsys32.exe

O4 - HKLM\..\Run: [new.net startup] C:\Documents and Settings\Mike\posterm.dll

O4 - HKLM\..\Run: [mmnext06] C:\Documents and Settings\Mike\uncwqs.dll

O4 - HKCU\..\Run: [iSMPack6] "C:\Program Files\ISM2\ISMPack6.exe"

O4 - HKCU\..\Run: [spywareSoftStop] C:\Program Files\SpywareSoftStop\SpywareSoftStop.exe

O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

O4 - Startup: Configuration & Monitor Utility.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O10 - Unknown file in Winsock LSP: winsck2.dll

O10 - Unknown file in Winsock LSP: winsck2.dll

O10 - Unknown file in Winsock LSP: winsck2.dll

O10 - Unknown file in Winsock LSP: winsck2.dll

O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe

O20 - AppInit_DLLs: C:\WINDOWS\System32\smsgcdgc.dll

O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

--

End of file - 4440 bytes

Link to post
Share on other sites

Hi mdm4mem and Welcome to Malwarebytes! Sorry for the delay.

I see Windows 5.1.2600 Service Pack 1?

Please run the MGA Diagnostic Tool and post back the report it creates:

  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* MGA Diagnostic Report

Link to post
Share on other sites

Thanks for a reply! Provided are the logs you requested.

Here is the uninstall list from hijack this:

Adobe Flash Player 9 ActiveX

Anti-Spyware (Aluria)

Anti-Virus (Command Software)

AOI-701R PCMCIA Wireless LAN

Authentium AntiVirus SDK - 2

Cox (CVUS)

Cox High Speed Internet Security Suite

ESP

Firewall (Core)

Firewall (User)

HijackThis 2.0.2

hp deskjet 3320 series (Remove only)

Malwarebytes' Anti-Malware

Microsoft Office Standard Edition 2003

Microsoft Windows Script 5.7

Nokia Connectivity Cable Driver

Popup Blocker

Sierra Print Artist 4.5

Sierra Utilities

Third Party Prerequisites

upapp

Web Filtering (Base 2)

Windows Installer 3.0 (KB884016)

but, i am having an issue with MGA diagnostic tool. I am doing this operation on two computers. The infected machine does not get internet access due to the infection. so, what I did to get MGA onto the infected machine was to save it on a flashdrive and then move it to the infected machine. When I tried to run MGA, the program open but when I clicked 'continue' this window popped up, "Microsoft Genuine Advantage Diagnostic tool has encountered a problem and needs to close. We are sorry for the inconvience. If you were in the middle of something, the information you were working on might be lost. For more information about this error, click here." Then when i click 'close' the program closes. Interestingly, this same message opens up when openng Internet explorer, therefore blocking me from reaching the internet on the infected machine.

Thanks, mdm4mem

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.