Jump to content

Cannot open MBAM on XP after fake virus trojan incursion


Recommended Posts

I occasionally get some Malware and have always been able to remove everything without assistance, but this one has me stumped. I had a bunch of .exe files appear and run themselves tonight. They appeared to have random names. I then received a typical fake virus checker window, which I closed. I rebooted and ran MBAM in safe mode. It found a few things and cleaned up:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce8b9f7f-8036-41d9-b0de-3f644b017594}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.

I expected that to be the end of it.

However, upon rebooting into normal Windows XP I still could not start MBAM (though changing the .exe name allowed it to start), but when I go online my Antivirus (NOD v4) is blocking suspect IP addresses one after another and I can't go to the MBAM homepage (browser timeout). Running ipconfig returns no information so clearly something is mucking with my connection.

Did a full MBAM scan and AV scan. AV turned up nothing but MBAM found this:

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Don't see anything obviously suspicious in HijackThis logs, but will post for others perusal. Have noticed two iexplore.exe processes loitering and reappearing if I kill them, but that seems to have gone now. I apologize if my description of what I've done so far seems confusing. I didn't take careful notes on the process, but have some log files to go by.

Thanks in advance for any help,

Mike

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 1:16:16 AM, on 7/20/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ANIWConnService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\PROGRA~1\CACHEM~1\CachemanXP.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\MediaMall\MediaMallServer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\CoreTemp\Core Temp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe

C:\Program Files\MediaMall\PlayOn.exe

C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Downloads\procexp.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam-.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java

Link to post
Share on other sites

  • 3 weeks later...
  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.