Jump to content

(Hijack.WindowsUpdates)


bilcatt
 Share

Recommended Posts

Hello,

I am new to this forum and this is my first post. I currently have two issues and I could not find the answers by searching. The first issue is when I run the Malwarebytes scan it shows two infections -

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

I believe this is stopping my windows updates from running and MWB can not seem to fix it. I am attaching both of the logs.

The second issue is with Trend Micro scan, not sure if it is real or not. After much searching, I have found many different pieces of information greatly varying on the severity of this. MWB odes not see this, just mentioning it in case it is related. It shows a Troj_generic.DIT in C:windows\system32\drivers\NDIS.SYS. I have tried to replace this file with the one from the i386 directory but it is locked. I tried to boot in safe mode, but was not able to log in.

Here are the logs from MWB and Hijack. Please let me know if I am not posting these correctly.

Thank you. Malwarebytes' Anti-Malware 1.41

Database version: 2838

Windows 5.1.2600 Service Pack 2

9/24/2009 10:00:23 AM

mbam-log-2009-09-24 (09-59-52).txt

Scan type: Quick Scan

Objects scanned: 125353

Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:10:20 AM, on 9/24/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Remote Services\AM.utEventServer.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dgrpencx.exe

C:\Program Files\DigitalPersona\Bin\DpHost.exe

C:\Program Files\Common Files\Rockwell\EventServer.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Kodak\AiO\center\KodakSvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Remote Services\WENGINE\wmonitor.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Common Files\Rockwell\NmspHost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Rockwell\RdcyHost.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Remote Services\AM.blScriptEngine.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe

C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

c:\Program Files\Kodak\AiO\Center\EKDiscovery.exe

C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINDOWS\TEMP\CL8A63.EXE

C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\DigitalPersona\Bin\DPAgnt.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

c:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AC2008E\acad.exe

c:\DOCUME~1\carneywl\LOCALS~1\Temp\AdskCleanup.0001

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

C:\Program Files\AC2008E\AcePmComServer5.exe

C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\hh.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.dematic.us/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.dematic.us/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe",

O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll

O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [softGridTray] C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe /autostart

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "c:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187964097375

O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187975242609

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - http://grrp556a.amcs.tld/LDS/core/common/S...uleServices.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amcs.tld

O17 - HKLM\Software\..\Telephony: DomainName = amcs.tld

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amcs.tld

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amcs.tld

O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll

O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe

O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe

O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - c:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Digi RealPort Network Service (DgRpEncx) - Digi International Inc. - C:\WINDOWS\system32\dgrpencx.exe

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe

O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe

O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

O23 - Service: Rockwell Event Server (EventServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe

O23 - Service: FactoryTalk Activation Helper (FTActivationBoost) - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: iPod Service - Apple Inc. - c:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - c:\Program Files\Kodak\AiO\Center\EKDiscovery.exe

O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - c:\Program Files\Kodak\AiO\center\KodakSvc.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LogReceiver - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe

O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Rockwell Namespace Services (NmspHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\NmspHost.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: Rockwell Redundancy Services (RdcyHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RdcyHost.exe

O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

O23 - Service: Rockwell HMI Diagnostics - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

O23 - Service: Rockwell Tag Server - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe

O23 - Service: SoftGrid Virtual Service Agent (sftvsa) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe

O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: T-Mobile RcApp Svc (TMobileRcAppSvc) - SmithMicro Inc. - C:\Program Files\T-Mobile\Connection Manager\RcAppSvc.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/carneywl/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--

End of file - 16062 bytes

Link to post
Share on other sites

  • Root Admin

You didn't tell MBAM to fix the problem. You need to tell MBAM to fix the problem. Then reboot and run a new scan

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

You didn't tell MBAM to fix the problem. You need to tell MBAM to fix the problem. Then reboot and run a new scan

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Thanks for the response. I updated and ran it again ran it again, here are the logs. It does say it fixes them but they are still there.

Malwarebytes' Anti-Malware 1.41

Database version: 2866

Windows 5.1.2600 Service Pack 2

9/28/2009 5:28:33 AM

mbam-log-2009-09-28 (05-28-33).txt

Scan type: Quick Scan

Objects scanned: 123716

Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the Hijack log -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:37:57 AM, on 9/28/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Remote Services\AM.utEventServer.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dgrpencx.exe

C:\Program Files\DigitalPersona\Bin\DpHost.exe

C:\Program Files\Common Files\Rockwell\EventServer.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Kodak\AiO\center\KodakSvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Remote Services\WENGINE\wmonitor.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Common Files\Rockwell\NmspHost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Rockwell\RdcyHost.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe

C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

c:\Program Files\Kodak\AiO\Center\EKDiscovery.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

C:\WINDOWS\TEMP\LGFF0F.EXE

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\DigitalPersona\Bin\DPAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\MemTurbo 4\MemTurbo.exe

c:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.dematic.us/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.dematic.us/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe",

O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll

O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [softGridTray] C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe /autostart

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "c:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [T-Mobile Connection Manager] "C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe" -a

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem

O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo 4\MemTurbo.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1253819520711

O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187975242609

O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) - http://grrp556a.amcs.tld/LDS/core/common/S...uleServices.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amcs.tld

O17 - HKLM\Software\..\Telephony: DomainName = amcs.tld

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amcs.tld

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amcs.tld

O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll

O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe

O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe

O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - c:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Digi RealPort Network Service (DgRpEncx) - Digi International Inc. - C:\WINDOWS\system32\dgrpencx.exe

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe

O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe

O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe

O23 - Service: Rockwell Event Server (EventServer) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe

O23 - Service: FactoryTalk Activation Helper (FTActivationBoost) - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: iPod Service - Apple Inc. - c:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - c:\Program Files\Kodak\AiO\Center\EKDiscovery.exe

O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - c:\Program Files\Kodak\AiO\center\KodakSvc.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LogReceiver - Unknown owner - C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe

O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Rockwell Namespace Services (NmspHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\NmspHost.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: Rockwell Redundancy Services (RdcyHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RdcyHost.exe

O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe

O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe

O23 - Service: Rockwell HMI Diagnostics - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

O23 - Service: Rockwell Tag Server - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe

O23 - Service: SoftGrid Virtual Service Agent (sftvsa) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe

O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe

O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: T-Mobile RcApp Svc (TMobileRcAppSvc) - SmithMicro Inc. - C:\Program Files\T-Mobile\Connection Manager\RcAppSvc.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/carneywl/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--

End of file - 16177 bytes

Link to post
Share on other sites

  • Root Admin

Okay, please run the following.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

After seeing the warnings, I tried to stop ComboFix form running with the Trend still on, but it started anyway. It was not able to create the recovery point, (I think that our company administrators have some things locked out), but even with these limitations, it seems to have fixed my issue. After two restarts, the computer started doing the updates again and the Malware scan shows clean.

I still have Trend Office Scan showing the NDIS.SYS trojan, but I can live with that one.

Thanks for all your help.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.