Jump to content
Sign in to follow this  
Grimnirsson

Scanned twice, same result

Recommended Posts

Hi folks,

I'm new to this board and a new user of Malwarebyt as well, so sorry if I missed that this was already discussed elsewhere - I'm in a hurry at the moment and have no time to search the whole forum. I scanned my PC yesterday and found 80 infected files. I removed them and today after starting a new scan just to see what it would bring up (expecting no results of course) I got the same result as before. Now I looked a bit more into the scan and so far I would say Malwarebyte is listing normal system files and exe files as threats which is of course not what I expect from such a program. Windows Defender and AVG Antivirus/Antimalware both say my system is clean of any threats. Hijackthis also gives a complete 'green' scan result with no problems whatsoever.

So, what do you Malwarebyte experts say about the scan below? Is my system clean or what's up with these files constantly coming back even after removing them ?

Thanks a lot,

greetings from Germany

Grim

Malwarebytes' Anti-Malware 1.26

Datenbank Version: 1112

Windows 6.0.6001 Service Pack 1

04.09.2008 17:13:50

mbam-log-2008-09-04 (17-13-37).txt

Scan-Methode: Vollst

Share this post


Link to post
Share on other sites

Something is wrong here and none of those system files should be there . Also the fake dropped malware is well know to be dropped by fake scanners just to be found later .

Please post you HJT log so I can take a look .

Share this post


Link to post
Share on other sites

That was a fast reply, very much appreciated - thanks.

Here's the Hijack-log:

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\LG Software\On Screen Display\HotKey.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Windows\System32\ico.exe

C:\Program Files\KEMailKb\KEMailKb.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\System32\rundll32.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Windows\System32\Pelmiced.exe

C:\Program Files\Opera\opera.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lge.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Asz.Citavi.IEPicker.IEPickerButton - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\Windows\system32\mscoree.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ZugPowerConfig] %ProgramFiles%\LG Software\ZugPowerConfig\ZugPowerConfigCurrentValue.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\RunOnce: [Run Daemon] iconspy.exe

O4 - HKLM\..\RunOnce: [Mouse Suite 98 Daemon] Pelmiced.exe /RunOnce

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')

O8 - Extra context menu item: &Citavi Picker... - file://C:\Program Files\Internet Explorer\PLUGINS\Citavi Picker\ShowContextMenu.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll

O9 - Extra button: Citavi Picker - {619D670F-B735-4da7-AC6D-F3BD358E325E} - C:\Windows\system32\mscoree.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O13 - Gopher Prefix:

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Edited by JeanInMontana
remove quote tags

Share this post


Link to post
Share on other sites

I have never seen a real MS file that unknown but everything looks legit here .

A few questions , are the files actually there ?

When removed do they actually delete ?

If they come back do you have to reboot to make them come back ?

Share this post


Link to post
Share on other sites
A few questions , are the files actually there ?

Now that you ask, well, it seems all of the files I checked are listed as 0 bytes and/or are only shortcuts to folders which Vista doesn't give me access to.

When removed do they actually delete ?

I got an error about the windows sidebar after the first deletion process yesterday, so something obviously was deleted. I didn't check this for all files of course.

If they come back do you have to reboot to make them come back ?

Since they came back after starting the computer anew today that was the case. But I don't know if it was necessary to make them come back. Some files were deleted after a necessary reboot (which was what Malwarebyte told me), the rest were deleted before that.

I'm a bit confused now - can I take it that my PC is actually clean (as Windows Defender, Hijack and AVG tell me) of any serious threats? Seems then that my PC isn't compatible with this Anti-Malware tool.

Share this post


Link to post
Share on other sites

Now I see what is going on here , this is from an odd bug on vista only that we are still trying to track down , please delete those files by hand and reboot , let me know of they come back .

Share this post


Link to post
Share on other sites

So that means all these files are actually threats? Deleting them won't start any trouble with my settings (like with the windows sidebar)? I'd like to be a bit careful here since no other antispy/-malware tool gives me any reason to think something is that wrong with my system... :angry:

Share this post


Link to post
Share on other sites

I cant tell how these files got there but it is likely just from the bug .

Looking at both the MBAM log and HJT log it is obvious that none of them enter memory and none of the system file names are in their correct location so cant have nay impact on your system . You also said that they are 0bytes so they dont have anything in them anyway .

Our lead coder might seek your help in debugging this , if that is Ok with you . It is a rare bug and we have never had the chance to get our hands on a machine that does this .

Share this post


Link to post
Share on other sites

Just so I understand this correctly: I do manually delete them via a feature of your tool or do I have to look for all of these files in the explorer and then delete them all by hand? The latter could indeed be rather time consuming :angry:

And these files are - at least that's what I understand from your explanation - not real files, have nothing to do with the real sys files, just 'ghosts' so to say?

Our lead coder might seek your help in debugging this , if that is Ok with you . It is a rare bug and we have never had the chance to get our hands on a machine that does this .

Sure, if I can be of any help with this.

Share this post


Link to post
Share on other sites

Ok, I think I know the answer now. These empty files, the shortcuts that Malwarebyte gives out as threats are system shortcuts for the sake of backwards compability with older programs, to make them work under Vista. These shortcuts also known as NTFS-Links do simulate a specific path for these older programs so there are no error messages when installing them under Vista - although the path as such is not the same anymore as it was under XP and older OS and so would cause problems when being installed under Vista without this 'trick'. Deleting these files/shortcuts definitely can mess up the system since the backwards compability won't work anymore.

So I have made the decision not to delete them and I will use other malware tools that don't give out these positive results. I'm quite sure that I don't have any threats on my PC since I'm always up to date with everything, have several firewalls (soft- and hardware) and two active Virus/Malware scanners (AVG and Windows Defender) and use Opera which is the safest browser out there. The only way to actually get malware on my system is by pressing the 'OK' button to manually install something, which I won't do.

Thanks for the help, though.

Grim

Share this post


Link to post
Share on other sites

That is not what is going on here as if it were , EVERYONE with with Vista would have the same scan results and that is not the case .

I can assure you that microsoft system files dont ever run from or belong in Local Settings or Application Data and then executables dont belong in cookies .

These files and shortcuts are created by MBAM through a bug we are trying to track down that happens rare cases .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.