Jump to content

defender, malwarebytes, hijackthis won't run


Recommended Posts

defender, malwarebytes, won't even open.

hijackthis runs but will not fix. logfile below.

i suspect this has something to do with vtuurp.dll

i could really use some input.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:29:25 PM, on 8/2/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Users\kingkevin\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [gedbyxsys] rundll32.exe "vtuurp.dll",s

O4 - HKLM\..\Run: [ddbcdbaudio] rundll32.exe "effdby.dll",s

O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe C:\Users\kingkevin\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll, StartProt

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKCU\..\Run: [vtuurqsys] rundll32.exe "vtuurp.dll",s

O4 - HKCU\..\Run: [qonkjjaudio] rundll32.exe "effdby.dll",s

O4 - HKCU\..\Run: [Desktop Cleanup Wizard] rundll32.exe "C:\Users\kingkevin\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll", StartProt

O4 - HKUS\S-1-5-18\..\Run: [nnmnnoaudio] rundll32.exe "effdby.dll",s (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [efcayvsys] rundll32.exe "vtuurp.dll",s (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [nnmnnoaudio] rundll32.exe "effdby.dll",s (User 'Default user')

O20 - AppInit_DLLs: C:\Windows\system32\syspol32.dll

O23 - Service: Acronis System Backup (acrosysbackup_exgvs5A6ZjJH) - Unknown owner - C:\Windows\system32\wirepots.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe

O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe

O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

O23 - Service: Windows System Backup Dumper (winbackupdumper-id19gvs5A6ZjJH) - Unknown owner - C:\Windows\system32\mousenh32.exe

--

End of file - 4561 bytes

Link to post
Share on other sites

  • Staff

Hi,

Navigate to the C:\Program Files\Malwarebytes' Anti-malware folder

locate the file mbam.exe in there and rename that file to explorer.exe (rightclick mbam.exe, select rename and rename to explorer.exe)

Then doubleclick the explorer.exe file there (renamed mbam). Malwarebytes should be able to launch.

Post the malwarebytes log in your next reply together with a new Hijackthis log.

Link to post
Share on other sites

heres the malwarebytes log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4384

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18928

8/3/2010 5:56:40 AM

mbam-log-2010-08-03 (05-56-40).txt

Scan type: Quick scan

Objects scanned: 131268

Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 3

Registry Keys Infected: 3

Registry Values Infected: 7

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

C:\Windows\System32\wirepots.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Windows\System32\mousenh32.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\Windows\System32\syspol32.dll (Trojan.Agent) -> Delete on reboot.

c:\Windows\System32\vtuurp.dll (Trojan.Agent) -> Delete on reboot.

C:\Windows\System32\wirepots.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acrosysbackup_exgvs5a6zjjh (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winbackupdumper-id19gvs5a6zjjh (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Amnesiac (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxvtspaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmljjksys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbbxysys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khecbcsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awusqoaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khecbcsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awusqoaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\syspol32.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\syspol32.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\syspol32.dll (Trojan.Agent) -> Delete on reboot.

c:\Windows\System32\vtuurp.dll (Trojan.Agent) -> Delete on reboot.

C:\Windows\System32\wirepots.dll (Trojan.Agent) -> Delete on reboot.

C:\Windows\System32\wirepots.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\mousenh32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\b_syspol32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\kingkevin\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll (Trojan.Agent) -> Quarantined and deleted successfully.

and hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:00:01 AM, on 8/3/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Users\kingkevin\Downloads\HiJackThis.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [awutspaudio] rundll32.exe "effdby.dll",s

O4 - HKLM\..\Run: [pmkjijsys] rundll32.exe "vtuurp.dll",s

O4 - HKCU\..\Run: [nnkhhgaudio] rundll32.exe "effdby.dll",s

O4 - HKUS\S-1-5-18\..\Run: [bywttqaudio] rundll32.exe "effdby.dll",s (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [xxyabasys] rundll32.exe "vtuurp.dll",s (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [bywttqaudio] rundll32.exe "effdby.dll",s (User 'Default user')

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe

O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\system32\rpcnet.exe

O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe

--

End of file - 3819 bytes

Link to post
Share on other sites

  • Staff

Hi,

This is much better already.

Please do the following..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\effdby.dll

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cbbaxwaudio"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"qonlkhaudio"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ssqoonaudio"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000000

"AntiSpywareOverride"=dword:00000000

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

ok, i did as instructed. combofix started, updated to newer version, ran it's scan then rebooted windows.

when windows started the combofix window opened and said it was saving a log file. at this point windows crashed

(blue screened). i was able to restart normally but I have no combofix log. evidently windows crashed before it was saved.

should i re-run combofix?

also, when starting windows i get the rundll error that "ffdby.dll cannot be found"

BTW, thank you very much for your help and your patience!!

aztec

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Mieke, ( I hope thats your correct name spelling)

I would like to extend to you my humblest and most heartfelt thanks.

as best as I can tell all traces of the infection are gone. and I'm still not sure exactly what it was.

anyway I can now run mbam and hjt. they run perfectly and give a clean report.

I don't know what you do when you're not helping others but whatever it is I bet you do it well.

once again, Thank You!! for having time and energy to devote to helping others, especially me!

Regards,

Aztec

Link to post
Share on other sites

  • Staff

Glad I could help. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.