Jump to content

Finally got HJT & MBAM to run


kens
 Share

Recommended Posts

My original post was in the 'what do I do' "about Antivirus Pro 2010" forum on 9-14. After following the clean-up from some similar threads, I did finally get HJT downloaded and run from trend micro and MBAM downloaded and run from CNET on 9-20. the logs are here for review. I appreciate your help so much. This has been a week from you know where. Ken S.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:39:15 PM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\lxbxcoms.exe

C:\Program Files\McAfee\Anti-Theft\McPvTray.exe

C:\Program Files\BigFix\BigFix.exe

C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe

C:\Program Files\Hallmark\Hallmark Card Studio Photo Card Edition\Planner\PLNRnote.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [McPvTray] C:\Program Files\McAfee\Anti-Theft\McPvTray.exe

O4 - HKCU\..\Run: [OM_Monitor] ; C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe

O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Event Planner Reminder 2009.lnk = ?

O4 - Global Startup: Photo Card Event Planner Reminder.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193415415687

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: McAfee Application Installer Cleanup (0240311253459555) (0240311253459555mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\024031~1.EXE

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--

End of file - 8144 bytes

Malwarebytes' Anti-Malware 1.41

Database version: 2831

Windows 5.1.2600 Service Pack 3

9/20/2009 1:37:30 PM

mbam-log-2009-09-20 (13-37-30).txt

Scan type: Quick Scan

Objects scanned: 104399

Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\tftp.msc (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\FILTER.sys (Trojan.DNSBlocker) -> Quarantined and deleted successfully.

C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.

This is a Superantispyware log from earlier in the day, and those 11 items were fixed. I enclose it only so you can see where we came from. Ken

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 09/20/2009 at 07:35 AM

Application Version : 4.29.1002

Core Rules Database Version : 4102

Trace Rules Database Version: 1978

Scan type : Complete Scan

Total Scan Time : 00:21:22

Memory items scanned : 518

Memory threats detected : 0

Registry items scanned : 5765

Registry threats detected : 9

File items scanned : 19314

File threats detected : 11

Trojan.Unclassified/BraviaX

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ C:\WINDOWS\system32\braviax.exe ]

Rogue.Component/Trace

HKLM\Software\Microsoft\18ECC5E3

HKLM\Software\Microsoft\18ECC5E3#18ecc5e3

HKLM\Software\Microsoft\18ECC5E3#Version

HKLM\Software\Microsoft\18ECC5E3#18ec6863

HKLM\Software\Microsoft\18ECC5E3#18ec0186

HKU\S-1-5-21-2141977767-2994533718-58751993-500\Software\Microsoft\FIAS4018

Rogue.Agent/Gen

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#14520154

C:\Documents and Settings\All Users\Application Data\14520154

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\14520154\14520154.EXE

Trojan.Agent/Gen

C:\WINDOWS\system32\lowsec\local.ds

C:\WINDOWS\system32\lowsec\user.ds

C:\WINDOWS\system32\lowsec\user.ds.lll

C:\WINDOWS\system32\lowsec

Trojan.Downloader-Gen/A

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\A.EXE

C:\WINDOWS\Prefetch\A.EXE-34A60060.pf

Adware.CouponBar

C:\WINDOWS\CPNPRT2.CID

C:\WINDOWS\SYSTEM32\CPNPRT2.CID

Trojan.Dropper/Win-NV

C:\WINDOWS\LD14.EXE

Link to post
Share on other sites

  • 2 weeks later...

Hello and welcome to the Malwarebytes forum!

Please follow the instructions mentioned over here: http://www.malwarebytes.org/forums/index.php?showtopic=9573

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Then, please give me an update of the condition of your machine and what problems or symptoms you may have.

With Regards,

Extremeboy

Link to post
Share on other sites

Hello and welcome to the Malwarebytes forum!

Please follow the instructions mentioned over here: http://www.malwarebytes.org/forums/index.php?showtopic=9573

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the reportTab.png tab at the bottom.
  • Now press the btnScan.png button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    RR_checkbox.jpg
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. saveReport.png
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Then, please give me an update of the condition of your machine and what problems or symptoms you may have.

With Regards,

Extremeboy

Dear Extremeboy, See QUOTE (sjpritch25 @ Sep 28 2009, 06:39 PM). I think I'm all fixed & well now. Please review the threads above. I did the Root Repeal thing awhile back. Thanks for your reply, and if there's something more I need to do that I'm missing here, please shout out again. Ken

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.