Jump to content

94 Infections found and MBAM stops responding!!


Recommended Posts

It seems my machine is the breeding ground for many unwanted infections.The only infection that Microsft's MRT found was this WinNT/Alureon.C.This happens to ba .sys file in my Susytem32 folder,it starts with ovfs+random characters and ends with .sys.But i cant find it manually.

I ran ERDNT to backup the registry and then TFC to clean unwanted files.Sadly TFC cleaned up a whopping 30 Gb of data..and all my user files, but hey its no problem!!..

The problems/symptoms that I currently have are

1)Im unable to make any new user accounts, and if i make a new one at the desktop it shows that the user profile was not correctly loaded... blah blah blah

2)There seems to be no System Restore or msconfig.exe,and theres nothing in the Administrative Tools folder under All Programs.I cant find Microsoft Management Console

3)All the program folders under "All Programs" have disappered, even though they are functional and present in the Program files folder in C:

4) When I type the @ key i get " and vice versa

5) MBAM gets stuck like after 4 minutes of finding 94 infections. Is not able to run RootRepal.

6) During tha last hour or so when i searched for this forum through Google i was taken to somewhere else.

What should i do next?

Thanks

Link to post
Share on other sites

HT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:22:46, on 15/08/2009

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\config\systemprofile\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\system32\config\systemprofile\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [Google Update] "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~3\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-18\..\Run: [Google Update] "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~3\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Google Update] "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'Default user')

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~3\Microsoft Office\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - -{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - -{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - -{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~3\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - -{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~3\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra button: Bonjour - -{7F9DB11C-E358-4ca6-A83D-ACC663939424} - (no file)

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~3\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~3\Microsoft Office\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~3\Microsoft Office\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O13 - Gopher Prefix:

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) -

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} -

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe

O23 - Service: AMTELGEY - Unknown owner - (no file)

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EXWMHNQP - Unknown owner - C:\Users\HELLBR~1\AppData\Local\Temp\EXWMHNQP.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

O23 - Service: LRL - Unknown owner - C:\Users\HELLBR~1\AppData\Local\Temp\LRL.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XI.SP4\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Home XI.SP4\RpcSandraSrv.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

O23 - Service: ZLVWGF - Yahoo! Inc. - (no file)

--

End of file - 10366 bytes

Link to post
Share on other sites

  • Staff

Hi hellbraker and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

However, do not download it from the links on that page. Download it from here instead:

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.