Jimmered Posted January 10, 2010 ID:182266 Share Posted January 10, 2010 I had responded to my own post twice so I combined them all here. Sorry for any confusion.Virus received today. I have Malware bytes on the computer but it is a copy from April /2009. When I try to go to the website and update it the virus pops up and gives me a error code 732(0,0). I did manage to get the Malwarebytes program open and scanned my computer it found 1 bug and deleted it but it was not related to this bug. I scanned agin (full) and it did not find anything. I can not get online using wirelss as the virus is blocking this. I can get online using a ethernet cable but I am still not able to update Malewarebytes. The virus has several popups, a blue security center screen, a small red and white antivirus sofwear alert and several others. When I try to go online or open Malwarebytes a windown opens that says application can not be excuted and then it will list one of several files and say they are infected. I am using my other computer to type this and this computer has a new version of Malwarebytes. Is there anyway to use a flash drive and put it on the other computer? I have hijack this on the computer also but the viruse will not allow me to open. Help! I fooled the virus and got a hijack this log onto a flash drive. So here it is!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:07:14 PM, on 1/9/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Altiris\AClient\AClient.exeC:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\WINDOWS\system32\IFXSPMGT.exeC:\WINDOWS\system32\IFXTCS.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXEC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\SMINST\Scheduler.exeC:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exeC:\Program Files\McAfee\Common Framework\udaterui.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\system32\ICO.EXEC:\Documents and Settings\james.campbell\Local Settings\Application Data\mrvxtf\xhpgsysguard.exeC:\WINDOWS\system32\Pelmiced.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\PROGRA~1\MICROS~3\rapimgr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Program Files\Altiris\AClient\AClntUsr.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exeC:\WINDOWS\System32\svchost.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.crossmark.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dllO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exeO4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exeO4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exeO4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXEO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logonO4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONEO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -aO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXEO4 - HKLM\..\Run: [hfgnpask] C:\Documents and Settings\james.campbell\Local Settings\Application Data\mrvxtf\xhpgsysguard.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [infuzer] C:\Program Files\Trondent Development Corp\Infuzer\Infuzer.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [hfgnpask] C:\Documents and Settings\james.campbell\Local Settings\Application Data\mrvxtf\xhpgsysguard.exeO4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exeO4 - Global Startup: Exif Launcher.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Infuzer.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://connect.crossmark.com/CitrixSession...AWEB/icaweb.cabO16 - DPF: {51BB7DFD-A6F5-4FAC-B8C9-E71CF84D082C} (AeXNSConsoleContextHelp Class) - http://softwareportal.crossmark.internal.p...isNSConsole.cabO16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} (RSClientPrint 2008 Class) - http://danlink.crossmark.com/ReportServer/...ab&Arch=X86O16 - DPF: {5DC5B8C0-EB2F-4364-B316-F8290B72F172} (SetSurge.SetSurgeGrid) - https://danlink.crossmark.com/SalesTrakNG/s...etSurgeGrid.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190381818562O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cabO16 - DPF: {A37AE93D-FB6F-11D3-B4F5-00105AD25B03} (ReportTool.ReportDownloader) - http://vp.crossmark.com/SalesTrakNG/Utils/.../ReportTool.CABO16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://finepix.digitalcameradeveloping.com...ploadClient.cabO16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://crossmark.webex.com/client/wbs26-vz...bex/ieatgpc.cabO16 - DPF: {FA91DF8D-53AB-455D-AB20-F2F023E498D3} (RSClientPrint Class) - http://stngreports.crossmark.com/ReportSer...clientprint.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CROSSMARK.INTERNAL.PVTO17 - HKLM\Software\..\Telephony: DomainName = CROSSMARK.INTERNAL.PVTO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CROSSMARK.INTERNAL.PVTO18 - Filter hijack: text/html - {03acf174-0315-49ca-b684-47d9908c66ee} - C:\WINDOWS\system32\xwreg32.dllO23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exeO23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Intel Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 11, 2010 Staff ID:182785 Share Posted January 11, 2010 Hi,The reason why Malwarebytes and other programs won't update is because you have a malicious proxy set here.Open HijackThis, click scan and check and fix the following entry:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555Click the fix checked button below.Then, Open Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.Then, update malwarebytes.Start MalwareBytes and click the Update tab. There click "Check for updates"Once the updates are downloaded, perform a quick scan again.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted January 16, 2010 Staff ID:184889 Share Posted January 16, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts