ecgruen Posted December 22, 2009 ID:174036 Share Posted December 22, 2009 I can't get Malwarebytes to run and when I ran Root Repeal I was unsure of what to remove, please help. Here is a copy of my log.ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/12/22 08:26Program Version: Version 1.3.5.0Windows Version: Windows XP Media Center Edition SP3==================================================Hidden/Locked Files-------------------Path: C:\WINDOWS\system32\H8SRThbobqaqpui.datStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTlamycirftq.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTurqhtiqrjx.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\Temp\H8SRTb9da.tmpStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\H8SRTeppjovhowi.sysStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3A0A.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3A15.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5132.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5137.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF518A.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF518F.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFAAFD.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFABBD.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC2AC.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC2B1.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC304.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC309.tmpStatus: Visible to the Windows API, but not on disk.Path: C:\Documents and Settings\Michael Nelson\Local Settings\Temp\H8SRTc34b.tmpStatus: Invisible to the Windows API!Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K10AKRZG\ac[9].htmStatus: Visible to the Windows API, but not on disk. Link to post Share on other sites More sharing options...
ecgruen Posted December 22, 2009 Author ID:174058 Share Posted December 22, 2009 Not sure if this info is needed but the program I am trying to get rid of is Malware Defense. I ran Root Repeal again and got this log:ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/12/22 09:56Program Version: Version 1.3.5.0Windows Version: Windows XP Media Center Edition SP3==================================================Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!Path: C:\WINDOWS\system32\H8SRThbobqaqpui.datStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTlamycirftq.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTurqhtiqrjx.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\Temp\H8SRT58f8.tmpStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\H8SRTeppjovhowi.sysStatus: Invisible to the Windows API!Path: c:\documents and settings\michael nelson\local settings\temp\~dfc5b0.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: c:\documents and settings\michael nelson\local settings\temp\~df8500.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: C:\Documents and Settings\Michael Nelson\Local Settings\Temp\H8SRTc34b.tmpStatus: Invisible to the Windows API! Link to post Share on other sites More sharing options...
Staff screen317 Posted December 27, 2009 Staff ID:175655 Share Posted December 27, 2009 Hi,Remove these with RootRepeal:Path: C:\WINDOWS\system32\H8SRThbobqaqpui.datStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTlamycirftq.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\H8SRTurqhtiqrjx.dllStatus: Invisible to the Windows API!Path: C:\WINDOWS\Temp\H8SRT58f8.tmpStatus: Invisible to the Windows API!Path: C:\WINDOWS\system32\drivers\H8SRTeppjovhowi.sysStatus: Invisible to the Windows API!Path: c:\documents and settings\michael nelson\local settings\temp\~dfc5b0.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: c:\documents and settings\michael nelson\local settings\temp\~df8500.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: C:\Documents and Settings\Michael Nelson\Local Settings\Temp\H8SRTc34b.tmpStatus: Invisible to the Windows API!Next, try to run a Quick Scan with MBAM; post its log.-screen317 Link to post Share on other sites More sharing options...
ecgruen Posted December 27, 2009 Author ID:175883 Share Posted December 27, 2009 Thanks for the help, here is my log.Malwarebytes' Anti-Malware 1.42Database version: 3289Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870212/27/2009 2:09:57 AMmbam-log-2009-12-27 (02-09-57).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 236892Time elapsed: 53 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 9Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Michael Nelson\Local Settings\Temp\pdfupd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.C:\Documents and Settings\Michael Nelson\Local Settings\Temporary Internet Files\Content.IE5\N4SNI3F8\ms307[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTlamycirftq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRTurqhtiqrjx.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\H8SRThbobqaqpui.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\H8SRTeppjovhowi.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\H8SRT1c6c.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\H8SRTe520.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\Michael Nelson\Local Settings\Temp\H8SRTc34b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 28, 2009 Staff ID:176434 Share Posted December 28, 2009 Hi,Your MBAM database is outdated. Update it, then run another Quick Scan, and post its log.Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
ecgruen Posted December 30, 2009 Author ID:177097 Share Posted December 30, 2009 Hi, here are my logs.ComboFix 09-12-29.04 - Michael Nelson 12/29/2009 20:11:06.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1510 [GMT -6:00]Running from: c:\documents and settings\Michael Nelson\My Documents\Downloads\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnkc:\windows\kb913800.exec:\windows\system32\srcr.datD:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 ))))))))))))))))))))))))))))))).2009-12-22 19:13 . 2009-12-22 19:13 -------- d-----w- c:\program files\Ericprotection2009-12-22 17:15 . 2009-12-22 17:15 -------- d-----w- c:\documents and settings\Michael Nelson\Local Settings\Application Data\Threat Expert2009-12-22 15:31 . 2009-12-22 15:31 0 ----a-w- c:\documents and settings\Michael Nelson\settings.dat2009-12-22 13:33 . 2009-12-22 13:33 0 ----a-w- c:\documents and settings\Administrator\settings.dat2009-12-22 13:18 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-12-22 13:18 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-12-22 13:10 . 2009-12-22 13:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2009-12-22 05:15 . 2009-12-22 05:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache2009-12-15 16:20 . 2009-12-15 16:20 147456 ----a-w- c:\documents and settings\Michael Nelson\Application Data\Absolute Poker\DownLoadInst\liveupdate.exe2009-12-15 14:42 . 2009-12-15 14:46 -------- dc-h--w- c:\windows\ie82009-12-12 00:38 . 2009-12-12 00:38 0 ----a-w- c:\windows\nsreg.dat2009-12-12 00:38 . 2009-12-12 00:38 -------- d-----w- c:\documents and settings\Michael Nelson\Local Settings\Application Data\Mozilla2009-12-10 16:46 . 2009-12-10 16:46 -------- d-----w- c:\documents and settings\Michael Nelson\Application Data\Malwarebytes2009-12-10 15:02 . 2009-12-10 15:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-12-10 15:02 . 2009-12-22 19:05 -------- d-----w- c:\program files\ERICS2009-12-10 15:02 . 2009-12-10 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-12-10 09:35 . 2009-12-10 09:35 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache2009-12-10 09:35 . 2009-12-10 09:35 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE2009-12-10 09:28 . 2009-12-10 09:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools2009-12-10 09:14 . 2009-12-10 09:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-12-10 07:59 . 2009-12-10 16:43 -------- d-----w- c:\documents and settings\Michael Nelson\Local Settings\Application Data\hqinwo2009-12-04 09:14 . 2009-12-04 09:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-12-29 18:23 . 2008-01-02 00:34 664 ----a-w- c:\windows\system32\d3d9caps.dat2009-12-22 17:44 . 2009-08-06 20:14 -------- d-----w- c:\program files\Common Files\PC Tools2009-12-22 17:44 . 2009-08-06 20:14 -------- d-----w- c:\program files\PC Tools AntiVirus2009-12-22 17:43 . 2009-08-06 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools2009-12-22 17:42 . 2007-07-21 03:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-12-22 05:54 . 2009-01-12 16:11 -------- d-----w- c:\program files\Absolute Poker2009-12-22 05:54 . 2006-10-17 16:03 -------- d-----w- c:\program files\Full Tilt Poker2009-12-20 20:12 . 2009-02-18 14:50 -------- d-----w- c:\program files\Poker Tracker Omaha2009-12-15 16:18 . 2009-11-16 21:45 -------- d-----w- c:\documents and settings\Michael Nelson\Application Data\Absolute Poker2009-12-10 12:24 . 2006-02-17 08:54 -------- d-----w- c:\program files\music_now2009-11-26 05:34 . 2009-06-01 21:16 -------- d-----w- c:\program files\Bodog Poker2009-11-26 05:29 . 2009-01-06 20:07 -------- d-----w- c:\program files\Cake Poker2009-11-19 14:43 . 2009-11-19 01:42 231639 ----a-w- c:\windows\hpoins30.dat2009-11-19 01:43 . 2009-11-19 01:43 -------- d-----w- c:\program files\Common Files\Hewlett-Packard2009-11-16 21:48 . 2009-11-16 21:48 147456 ----a-w- c:\documents and settings\Michael Nelson\Application Data\Absolute Poker\DownLoad\liveupdate.exe2009-11-16 18:57 . 2006-06-25 22:44 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-11-10 15:43 . 2006-12-24 02:29 -------- d-----w- c:\program files\PokerStars2009-10-30 03:48 . 2009-10-30 03:48 133684 ----a-r- c:\documents and settings\Michael Nelson\Application Data\Microsoft\Installer\{D861E896-1511-4893-A26A-E21F44EC569C}\_9FE4A91DA2970CFCECA6D1.exe2009-10-30 03:48 . 2009-10-30 03:48 133684 ----a-r- c:\documents and settings\Michael Nelson\Application Data\Microsoft\Installer\{D861E896-1511-4893-A26A-E21F44EC569C}\_366F0F0841AEEA9AD4B6BB.exe2009-10-30 03:48 . 2009-10-30 03:48 10134 ----a-r- c:\documents and settings\Michael Nelson\Application Data\Microsoft\Installer\{D861E896-1511-4893-A26A-E21F44EC569C}\_6FEFF9B68218417F98F549.exe2009-10-29 07:45 . 2004-08-10 15:00 916480 ----a-w- c:\windows\system32\wininet.dll2009-10-21 05:38 . 2004-08-10 15:00 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38 . 2004-08-10 15:00 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-20 16:20 . 2004-08-10 15:00 265728 ------w- c:\windows\system32\drivers\http.sys2009-10-13 10:30 . 2004-08-10 15:00 270336 ----a-w- c:\windows\system32\oakley.dll2009-10-12 13:38 . 2004-08-10 15:00 149504 ----a-w- c:\windows\system32\rastls.dll2009-10-12 13:38 . 2004-08-10 15:00 79872 ----a-w- c:\windows\system32\raschap.dll2006-09-20 06:01 . 2006-09-20 06:01 22 -csha-w- c:\windows\SMINST\HPCD.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.42Database version: 3450Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870212/29/2009 1:17:01 PMmbam-log-2009-12-29 (13-17-01).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 240339Time elapsed: 1 hour(s), 13 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\Michael Nelson\Local Settings\Temporary Internet Files\Content.IE5\TF9V0UN9\eH90ead3a1V03006f35002R383b7f19102Tdbda8607Q000002fa900807F0020000aJ07000601l0409316P000001070[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP621\A0452517.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP621\A0452518.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP621\A0452519.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.C:\Documents and Settings\Michael Nelson\Desktop\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully.C:\Documents and Settings\Michael Nelson\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 31, 2009 Staff ID:177975 Share Posted December 31, 2009 Hi,Please update MBAM, run a Quick Scan, then post its log.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted January 20, 2010 Staff ID:186751 Share Posted January 20, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts