iut044 Posted July 26, 2010 ID:290928 Share Posted July 26, 2010 ran malwarebytes Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4356Windows 6.1.7600Internet Explorer 8.0.7600.1638526/07/2010 23:49:41mbam-log-2010-07-26 (23-49-41).txtScan type: Full scan (C:\|)Objects scanned: 245519Time elapsed: 33 minute(s), 11 second(s)Memory Processes Infected: 2Memory Modules Infected: 1Registry Keys Infected: 2Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 1Files Infected: 19Memory Processes Infected:C:\Users\iut044\AppData\Roaming\6C636E26DFBB038B858A0E6E4AFDD6A0\releaseversion70700.exe (Trojan.Agent.Gen) -> Unloaded process successfully.C:\Users\iut044\AppData\Roaming\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.Memory Modules Infected:C:\Users\iut044\AppData\Local\wmatetac.dll (Trojan.Hiloti) -> Delete on reboot.Registry Keys Infected:HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\releaseversion70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxuvey (Trojan.Hiloti) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hbhvuuid (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\growedidayiyukej (Trojan.Agent.U) -> Delete on reboot.Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\Users\iut044\AppData\Roaming\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.Files Infected:C:\Users\iut044\AppData\Roaming\6C636E26DFBB038B858A0E6E4AFDD6A0\releaseversion70700.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\wmatetac.dll (Trojan.Hiloti) -> Delete on reboot.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUN0ZKK4\aaidkfmhfa[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EXHHVM0L\sjnvpnidk[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCD32U9C\jaucnvc[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\cgxvqksq[1].htm (Adware.BHO) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\imhbjepxrz[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8J3RYI0\releaseversion70700[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Temp\674c5ea6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Temp\creg.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Temp\pmqtt.exe (Adware.BHO) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\Temp\ukdoi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Roaming\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Roaming\SystemProc\upd.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\Users\iut044\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.C:\Users\iut044\AppData\Local\edosucefuheli.dll (Trojan.Agent.U) -> Delete on reboot.I got 2 dll errors here is hijack after the scan Logfile of Trend Micro HijackThis v2.0.4Scan saved at 00:16:25, on 27/07/2010Platform: Windows 7 (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:c:\PROGRA~2\mcafee.com\agent\mcagent.exeC:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exeC:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exeC:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exeC:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exeC:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exeC:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exeC:\Program Files (x86)\Java\jre6\bin\jusched.exeC:\Program Files (x86)\Windows Live\Contacts\wlcomm.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\mskapbho.dllO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllO2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dllO3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dllO4 - HKLM\..\Run: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /mO4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkeyO4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenterO4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [spark] C:\Program Files (x86)\Spark\Spark.exeO4 - HKCU\..\Run: [Google Update] "C:\Users\iut044\AppData\Local\Google\Update\GoogleUpdate.exe" /cO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exeO4 - Global Startup: McAfee Security Scan Plus.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8 Link to post Share on other sites More sharing options...
iut044 Posted July 26, 2010 Author ID:290932 Share Posted July 26, 2010 cancel the bit about .dll errors was only on the first boot after malwarebytes scan Link to post Share on other sites More sharing options...
Staff screen317 Posted August 5, 2010 Staff ID:295915 Share Posted August 5, 2010 Hi and welcome to Malwarebytes.My apologies for the extended delay. Do you still need help? Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2010 Staff ID:306329 Share Posted August 29, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts