Jump to content
Reagan72

cant use task manager

Recommended Posts

I was able to remove norton with their norton removal tool i downloaded from their site and ran gmer

here is the log:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-08-24 13:32:42

Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.14 ----

SSDT HBKernel.sys ZwCreateThread [0xF9ED367F]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\HBKernel.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\dllcache\wintcps.exe[268] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 001354A7

.text C:\WINDOWS\system32\services.exe[544] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\system32\lsass.exe[556] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text ...

---- EOF - GMER 1.0.14 ----

Share this post


Link to post
Share on other sites

Can you try uploading this file to the site I asked you to upload a few posts ago:

C:\WINDOWS\System32\dllcache\wintcps.exe

Share this post


Link to post
Share on other sites
I was able to remove norton with their norton removal tool i downloaded from their site and ran gmer

here is the log:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-08-24 13:32:42

Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.14 ----

SSDT HBKernel.sys ZwCreateThread [0xF9ED367F]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\HBKernel.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\dllcache\wintcps.exe[268] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 001354A7

.text C:\WINDOWS\system32\services.exe[544] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\system32\lsass.exe[556] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text C:\WINDOWS\System32\svchost.exe[772] ADVAPI32.dll!CreateServiceA 77E28B02 5 Bytes JMP 000754A7

.text ...

---- EOF - GMER 1.0.14 ----

Aye... HBKERNEL.SYS, I suspected as much...

you have a rootkit present.

Using gmer, can you navigate to the windows\system32\drivers folder and copy hbkernel.sys to another filename and upload that?

I can develop a definition to remove the little bastard.

Share this post


Link to post
Share on other sites
done, and done

thank you both

SORRY IT TOOK ME SO LONG TO RESPOND

File confirmed to be a rooter. Specifically it's another OnlineGames variant. I have submitted new def information which should eliminate this particular variant. Thank you for submitting it.

Share this post


Link to post
Share on other sites

No problem, thank you.

But where does that leave me? And should I delete that file now?

Share this post


Link to post
Share on other sites
No problem, thank you.

But where does that leave me? And should I delete that file now?

With any luck, defs released tomorrow may remove the beast. Go ahead and delete the copy.

Share this post


Link to post
Share on other sites

Thanks,

No luck deleting the file, when I try I get an error message that says it is being used by another person or program.

Is there another way to get rid of it?

Share this post


Link to post
Share on other sites
Thanks,

No luck deleting the file, when I try I get an error message that says it is being used by another person or program.

Is there another way to get rid of it?

Updating mbam; click the update tab and hit The update button. Then scan your computer again and report back your results.

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.25

Database version: 1093

Windows 5.1.2600 Service Pack 1

9:25:26 PM 8/28/2008

mbam-log-08-28-2008 (21-25-21).txt

Scan type: Quick Scan

Objects scanned: 44759

Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Heuristics.Reserved.Word.Exploit) -> Data: system32\drivers\services.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system32\drivers\services.exe) Good: (Explorer.exe) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> No action taken.

C:\WINDOWS\system32\biroas.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\cmbdaf.dll (Trojan.OnlineGames) -> No action taken.

C:\WINDOWS\system32\hvexalt.dll (Spyware.OnLineGames) -> No action taken.

C:\WINDOWS\system32\johandy.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FPQUV560\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Local Settings\Temporary Internet Files\Content.IE5\WPUNODEJ\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\Update.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> No action taken.

Share this post


Link to post
Share on other sites
Malwarebytes' Anti-Malware 1.25

Database version: 1093

Windows 5.1.2600 Service Pack 1

9:25:26 PM 8/28/2008

mbam-log-08-28-2008 (21-25-21).txt

Scan type: Quick Scan

Objects scanned: 44759

Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Heuristics.Reserved.Word.Exploit) -> Data: system32\drivers\services.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system32\drivers\services.exe) Good: (Explorer.exe) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> No action taken.

C:\WINDOWS\system32\biroas.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\cmbdaf.dll (Trojan.OnlineGames) -> No action taken.

C:\WINDOWS\system32\hvexalt.dll (Spyware.OnLineGames) -> No action taken.

C:\WINDOWS\system32\johandy.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FPQUV560\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Local Settings\Temporary Internet Files\Content.IE5\WPUNODEJ\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\Update.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> No action taken.

Excellent. Go ahead and allow MBAM to remove the selected items to quarantine and lets see how your computer does.

After rebooting, post a fresh hijackthis log and mbam log please.

Share this post


Link to post
Share on other sites

Thanks,

Sorry, I didnt delete those but I did a new full scan and came up with this

Malwarebytes' Anti-Malware 1.25

Database version: 1093

Windows 5.1.2600 Service Pack 1

3:36:06 PM 8/29/2008

mbam-log-08-29-2008 (15-35-46).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 153677

Time elapsed: 41 minute(s), 59 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 11

Registry Values Infected: 5

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 19

Memory Processes Infected:

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.BHO) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.BHO) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.Small) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Heuristics.Reserved.Word.Exploit) -> Data: system32\drivers\services.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system32\drivers\services.exe) Good: (Explorer.exe) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.BHO) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FPQUV560\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NOHF7QFU\abb[1].gif (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NOHF7QFU\update[2].gif (Spyware.OnlineGames) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0009900.sys (Trojan.Alman) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0009936.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> No action taken.

C:\WINDOWS\system32\biroas.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\cmbdaf.dll (Trojan.OnlineGames) -> No action taken.

C:\WINDOWS\system32\hvexalt.dll (Spyware.OnLineGames) -> No action taken.

C:\WINDOWS\system32\johandy.dll (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\_OTMoveIt\MovedFiles\08242008_001454\w3l8t1y1y8g8.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\Update.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> No action taken.

Deleted these and will post new logs shortly

Thanks

Share this post


Link to post
Share on other sites

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:46:41 PM, on 8/29/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirect...c02&lc=0409

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dllHBmhly.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\System32\dllcache\wintcps.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6300 bytes

MBAM LOG:

Malwarebytes' Anti-Malware 1.25

Database version: 1093

Windows 5.1.2600 Service Pack 1

4:36:48 PM 8/29/2008

mbam-log-08-29-2008 (16-36-38).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 154018

Time elapsed: 41 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Avenger\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010055.dll (Trojan.Downloader) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010056.dll (Trojan.Small) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010057.dll (Spyware.OnlineGames) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010058.dll (Trojan.OnlineGames) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010059.dll (Spyware.OnLineGames) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010060.dll (Spyware.OnlineGames) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010061.exe (Trojan.Unclassified) -> No action taken.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0011065.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> No action taken.

Share this post


Link to post
Share on other sites

AFTER ATTEMPTING TO DELETE THOSE INFECTED I CAME UP WITH THIS:

Malwarebytes' Anti-Malware 1.25

Database version: 1093

Windows 5.1.2600 Service Pack 1

4:38:27 PM 8/29/2008

mbam-log-08-29-2008 (16-38-27).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 154018

Time elapsed: 41 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Avenger\linkinfo.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010055.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010056.dll (Trojan.Small) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010057.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010058.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010059.dll (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010060.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0010061.exe (Trojan.Unclassified) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-49321DAD0241}\RP5\A0011065.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> Delete on reboot.

Share this post


Link to post
Share on other sites

You must allow the machine to start in normal mode when mbam wants to perform a restart. You did not do this with your hijackthis log. Please go ahead, select remove and reboot your computer normally.

I will require new logs from mbam and hjt in normal mode.

Share this post


Link to post
Share on other sites

Very well, sorry.

MBAM:

Malwarebytes' Anti-Malware 1.25

Database version: 1096

Windows 5.1.2600 Service Pack 1

10:22:34 PM 8/29/2008

mbam-log-08-29-2008 (22-22-34).txt

Scan type: Quick Scan

Objects scanned: 47681

Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> Delete on reboot.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RQ30480B\c12345[1].jpg (Trojan.Unclassified) -> Quarantined and deleted successfully.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:27:44 PM, on 8/29/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\System32\explore.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\wanmpsvc.exe

c:\g3g6r8w3c2f7.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl

y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll

H

Bmhly.dll,aaa.dll,HBmhly.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6745 bytes

Share this post


Link to post
Share on other sites

Hmm, You still have some possible trojans present. Have you installed additional software since we started? Please dont install programs unless I ask you too....

I need you to upload the following files:

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\System32\comuidsg.dll

C:\WINDOWS\System32\lweurqhx.dll

C:\WINDOWS\system32\NMBgMonitor.exe

C:\WINDOWS\system32\msCMTSrvc.exe

I assume you can open task manager now?

Share this post


Link to post
Share on other sites

Give me a bit of time to process these, and I'll go from there with guidance. The dlls that are too big to attach here, please zip them as cmoneysamples.zip and upload it here uploads.malwarebytes.org

Share this post


Link to post
Share on other sites

Hi Cmoney.. The files are trojan.onlinegames components, except for two which are legitimate...

I need you to update mbam via it's update button, perform a quick scan, allow it to remove items, reboot after running the program into normal mode. Open mbam again, scan again and post that log file, along with a fresh hijackthis log AFTER running mbam twice, please.

Share this post


Link to post
Share on other sites

when the first MBAM scan was finished, deleted files and wanted to restart, I had to do it manually by holdinh the button down and pushin it back in to restart it that way. I did that because earlier on, I got that NT Authority\System Error Message: "This system is shutting down. pop up that tried to shut down the computer. I went start>run"shutdown -a"(again that was hours ago)

When the pc turned back on I looked at task manager that was working(or at least bold like everything else)but didnt go into it though. (now its back to grey and not clickable) I thought that was a sign that it worked even after the way I turned off the computer. I then ran MBAM and hijackthis

MBAM:

Malwarebytes' Anti-Malware 1.25

Database version: 1099

Windows 5.1.2600 Service Pack 1

7:39:57 PM 8/30/2008

mbam-log-08-30-2008 (19-39-40).txt

Scan type: Quick Scan

Objects scanned: 46589

Time elapsed: 7 minute(s), 13 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8DUVS9EB\abb[1].gif (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KHIN09A3\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SXQN0TIR\update[1].gif (Spyware.OnlineGames) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> No action taken.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:41:27 PM, on 8/30/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\explore.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\WINDOWS\wanmpsvc.exe

c:\g3g6r8w3c2f7.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl

y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll

H

Bmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dll,aaa.dll,HBmhly.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6908 bytes

Share this post


Link to post
Share on other sites
when the first MBAM scan was finished, deleted files and wanted to restart, I had to do it manually by holdinh the button down and pushin it back in to restart it that way. I did that because earlier on, I got that NT Authority\System Error Message: "This system is shutting down. pop up that tried to shut down the computer. I went start>run"shutdown -a"(again that was hours ago)

MBAm has to be able to scan, and properly restart your machine. Please try this again, and after rebooting, post a fresh mbam log.

We can't do much to cleanup with hijackthis until various files are killed. Hence the need for a succesful shutdown and restart.

Feel free to check for an updated database beforehand.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.