Jump to content

MWB, HJThis and other Spyware Removal programs terminate once run


calabama

Recommended Posts

My search results have been hijacked in IE and FF. Upon lcicking on a result from a search engine I am redirected to an advertisment page, or directed to a non related page to the search query.

My system allows MWB to be downloaded and installed, but when run it terminates after attempting to perform a quick scan. The time for termination is 1-2 seconds after scan is initatied.

When I attempt to run the process again windows informs me that "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

I am logged in as a user with Admin (Full Control) permissions.

My system is a Windows Vista Home Premium.

I downloaded and ran ComboFix.exe. Here are the results:

ComboFix 09-09-27.05 - Bylsma 09/28/2009 15:13.5.2 - NTFSx86

Running from: c:\users\Bylsma\Downloads\ComboFix.exe

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected

Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

-- Previous Run --

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected

Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

--------

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 18:31 . 2009-09-28 19:01 -------- d-----w- c:\program files\SpywareBlaster

2009-09-28 18:28 . 2009-09-28 18:28 -------- d-----w- c:\program files\BillP Studios

2009-09-28 18:27 . 2009-09-28 18:27 -------- d-----w- c:\program files\Malware Removal Tool

2009-09-28 18:21 . 2009-09-28 19:02 -------- d-----w- c:\program files\green4

2009-09-28 18:19 . 2009-09-28 18:19 -------- d-----w- c:\program files\Search

2009-09-28 18:09 . 2009-09-28 18:09 -------- d-----w- c:\program files\green2

2009-09-28 17:55 . 2009-09-28 17:55 -------- d-----w- c:\program files\green

2009-09-28 17:51 . 2009-09-28 17:51 -------- d-----w- c:\users\Bylsma\AppData\Roaming\Malwarebytes

2009-09-28 17:51 . 2009-09-28 17:51 -------- d-----w- c:\program files\eea5

2009-09-27 06:04 . 2009-09-27 06:04 0 ----a-w- c:\windows\system32\settings.dat

2009-09-27 02:18 . 2009-09-03 02:51 94208 ----a-w- c:\windows\eSellerateControl365.dll

2009-09-27 02:18 . 2009-09-27 02:18 -------- d-----w- c:\program files\Security Stronghold

2009-09-27 01:19 . 2009-09-27 01:19 -------- d-----w- c:\programdata\F-Secure

2009-09-27 00:59 . 2009-09-27 00:59 -------- d-----w- c:\program files\eea4

2009-09-27 00:57 . 2009-09-28 19:20 -------- d-----w- c:\users\Bylsma\AppData\Local\temp

2009-09-27 00:57 . 2009-09-28 19:19 -------- d-----w- c:\users\Carol\AppData\Local\temp

2009-09-26 20:55 . 2009-09-26 20:58 -------- d-----w- c:\program files\Trend Micro

2009-09-26 19:27 . 2009-09-26 19:27 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}

2009-09-26 19:04 . 2009-09-26 19:05 -------- d-----w- c:\program files\Spybot - Search & Destroy2

2009-09-26 19:00 . 2009-09-26 23:12 -------- d-----w- c:\program files\eea3

2009-09-26 17:32 . 2009-09-28 18:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2009-09-26 17:32 . 2009-09-26 19:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-26 17:15 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-26 17:15 . 2009-09-26 17:15 -------- d-----w- c:\program files\eea2

2009-09-26 17:15 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-26 16:25 . 2009-09-26 17:14 -------- d-----w- c:\program files\eea-bytes

2009-09-26 16:10 . 2009-09-26 16:10 -------- d-----w- c:\users\Carol\AppData\Roaming\Malwarebytes

2009-09-26 16:10 . 2009-09-26 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-26 16:10 . 2009-09-26 16:10 -------- d-----w- c:\programdata\Malwarebytes

2009-09-16 13:18 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll

2009-09-16 13:18 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll

2009-09-16 13:18 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-09-16 13:18 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll

2009-09-16 13:18 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll

2009-09-16 13:18 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll

2009-09-16 13:18 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-16 13:18 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-19 21:19 . 2008-12-23 01:31 -------- d-----w- c:\programdata\Lx_cats

2009-08-14 17:07 . 2009-09-09 20:11 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys

2009-08-14 16:29 . 2009-09-09 20:11 104960 ----a-w- c:\windows\system32\netiohlp.dll

2009-08-14 16:29 . 2009-09-09 20:11 17920 ----a-w- c:\windows\system32\netevent.dll

2009-08-14 14:16 . 2009-09-09 20:11 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE

2009-08-14 14:16 . 2009-09-09 20:11 17920 ----a-w- c:\windows\system32\ROUTE.EXE

2009-08-14 14:16 . 2009-09-09 20:11 11264 ----a-w- c:\windows\system32\MRINFO.EXE

2009-08-14 14:16 . 2009-09-09 20:11 27136 ----a-w- c:\windows\system32\NETSTAT.EXE

2009-08-14 14:16 . 2009-09-09 20:11 19968 ----a-w- c:\windows\system32\ARP.EXE

2009-08-14 14:16 . 2009-09-09 20:11 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE

2009-08-14 14:16 . 2009-09-09 20:11 10240 ----a-w- c:\windows\system32\finger.exe

2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

2009-08-01 00:03 . 2009-08-01 00:00 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-18 16:06 . 2009-07-29 12:28 827904 ----a-w- c:\windows\system32\wininet.dll

2009-07-18 16:01 . 2009-07-29 12:28 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-07-18 09:46 . 2009-07-29 12:28 26624 ----a-w- c:\windows\system32\ieUnatt.exe

2009-07-17 14:35 . 2009-08-12 12:19 71680 ----a-w- c:\windows\system32\atl.dll

2009-07-14 13:00 . 2009-08-12 12:18 313344 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-14 12:59 . 2009-08-12 12:18 4096 ----a-w- c:\windows\system32\dxmasf.dll

2009-07-14 12:58 . 2009-08-12 12:18 7680 ----a-w- c:\windows\system32\spwmp.dll

2009-07-14 10:59 . 2009-08-12 12:18 8147456 ----a-w- c:\windows\system32\wmploc.DLL

2009-07-11 19:32 . 2009-09-09 20:11 513024 ----a-w- c:\windows\system32\wlansvc.dll

2009-07-11 19:32 . 2009-09-09 20:11 302592 ----a-w- c:\windows\system32\wlansec.dll

2009-07-11 19:32 . 2009-09-09 20:11 293376 ----a-w- c:\windows\system32\wlanmsm.dll

2009-07-11 19:29 . 2009-09-09 20:11 127488 ----a-w- c:\windows\system32\L2SecHC.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-26_16.45.30 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 01:58 . 2009-09-28 18:05 31176 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 13:05 . 2009-09-28 18:05 66174 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2008-12-22 02:34 . 2009-09-28 19:20 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2008-12-22 02:34 . 2009-09-26 16:30 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2008-12-22 02:34 . 2009-09-28 19:20 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2008-12-22 02:34 . 2009-09-26 16:30 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2008-12-22 02:34 . 2009-09-26 16:30 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2008-12-22 02:34 . 2009-09-28 19:20 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2006-11-02 08:43 . 2006-11-02 09:46 11776 c:\windows\System32\cngaudit.dll

+ 2008-12-22 21:30 . 2009-09-28 18:05 4848 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031486734-1738215335-836306654-1003_UserData.bin

+ 2008-12-22 02:34 . 2009-09-26 18:45 6170 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2031486734-1738215335-836306654-1000_UserData.bin

+ 2008-12-22 23:24 . 2009-09-28 16:02 222882 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin

+ 2009-09-26 21:18 . 2009-09-26 21:18 119296 c:\windows\Installer\933bcf.msi

+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll

+ 2006-11-02 10:33 . 2009-09-28 18:09 7412470 c:\windows\System32\perfc009.dat

+ 2006-11-02 10:33 . 2009-09-28 18:09 20666236 c:\windows\System32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 133656]

"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-05-21 676520]

"EzPrint"="c:\program files\Lexmark 7600 Series\ezprint.exe" [2008-05-21 131752]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-27 341312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{2ED3B289-8756-4724-B862-52F806E77021}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{66CA0C5D-2DD6-4D2E-BEC4-3C7B7203C20D}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{B6DCE5D3-36CB-40AE-AC71-1F09064BC1F8}"= UDP:c:\windows\System32\lxdwcoms.exe:Lexmark Communications System

"{A69B831A-B3A9-4F73-A203-69900672D1B2}"= TCP:c:\windows\System32\lxdwcoms.exe:Lexmark Communications System

"TCP Query User{4767632F-6BAC-4C58-844E-860F80DDA8AE}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

"UDP Query User{F210BDF3-D0F1-4F40-A88D-77E03AA0FE07}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [x]

R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdwserv.exe [2008-05-16 98984]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]

S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe [2008-05-16 594600]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]

S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-10-11 235648]

S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]

.

Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{09AD3BC8-FCCC-4EF1-8E03-F2926B38818F}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{BA289E1A-CB65-4D21-B934-23816F0342E5}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Bylsma\AppData\Roaming\Mozilla\Firefox\Profiles\w62tmcy2.default\

FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1245961247&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1086604798&lc=1033&id=64855&mkt=en-US

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\audiodg.exe

c:\windows\System32\wlanext.exe

c:\windows\System32\BCMWLTRY.EXE

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\windows\System32\drivers\XAudio.exe

c:\windows\System32\igfxsrvc.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\System32\wbem\WMIADAP.exe

.

**************************************************************************

.

Completion time: 2009-09-28 15:26 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 19:26

ComboFix2.txt 2009-09-27 00:57

ComboFix3.txt 2009-09-26 18:45

ComboFix4.txt 2009-09-26 17:14

ComboFix5.txt 2009-09-28 19:08

Pre-Run: 162,232,328,192 bytes free

Post-Run: 162,239,815,680 bytes free

217 --- E O F --- 2009-09-28 16:11

Any help you could offer is greatly appreciated.

Regards,

Calabama

Link to post
Share on other sites

  • Staff

Hi,

Are you still having problems?

In either way, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

Fr33_mbam.gif

You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files. ;)

Extra note, did you create these folders (probably attempts to rename folders and files in order to run a certain program)?

2009-09-28 18:21 . 2009-09-28 19:02 -------- d-----w- c:\program files\green4

2009-09-28 18:19 . 2009-09-28 18:19 -------- d-----w- c:\program files\Search

2009-09-28 18:09 . 2009-09-28 18:09 -------- d-----w- c:\program files\green2

2009-09-28 17:55 . 2009-09-28 17:55 -------- d-----w- c:\program files\green

2009-09-28 17:51 . 2009-09-28 17:51 -------- d-----w- c:\program files\eea5

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.