Droopy Posted October 10, 2008 ID:30453 Share Posted October 10, 2008 Hi,Since a few weeks, my PC (running Vista family edition) seems infected.It works in safe mode.It freeze after a few seconds in normal mode.I had restore to some previous restore point but still same problem.Here is the MB log :Malwarebytes' Anti-Malware 1.28Version de la base de donn Link to post Share on other sites More sharing options...
JeanInMontana Posted October 10, 2008 ID:30460 Share Posted October 10, 2008 Hi Droopy and welcome to Malwarbytes. You need to put HJT into the folder it was meant to go into, named HiJackThis and in Program Files on the main drive, usually C:\ Program Files. Please do this and then update MBAM run another quick scan, post that log and a new HJT log. Link to post Share on other sites More sharing options...
Droopy Posted October 11, 2008 Author ID:30535 Share Posted October 11, 2008 Thanks for the answer.Here are the 2 logs :Malwarebytes' Anti-Malware 1.28Version de la base de donn Link to post Share on other sites More sharing options...
JeanInMontana Posted October 12, 2008 ID:30578 Share Posted October 12, 2008 I'm not seeing malware. Did you scan with MBAM in normal boot? This is crucial to do that. You have some evidence of a past infection and possibly system damage. If you did scan with MBAM in normal mode then I would suggest you try a check disk for errors see if any are found. Link to post Share on other sites More sharing options...
Droopy Posted October 12, 2008 Author ID:30617 Share Posted October 12, 2008 well i cannot scan in normal mode because it freeze after a few seconds.this is my problem. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 12, 2008 ID:30638 Share Posted October 12, 2008 So it's MBAM freezing not the OS? Open MBAM and in the settings section uncheck scan memory, try running again. Continue unchecking items if that doesn't work. Be sure your only running a quick scan, not the full. Link to post Share on other sites More sharing options...
Droopy Posted October 12, 2008 Author ID:30646 Share Posted October 12, 2008 Sorry but I don't get it.In normal mode, Vista freeze before I can start MBAM.In safe mode it works.I don't understand what you meant. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 13, 2008 ID:30698 Share Posted October 13, 2008 OK I didn't understand you either, now I do. Let's give this tool a try, it runs very fast and should show us something.Review this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 21, 2008 ID:31748 Share Posted October 21, 2008 OK the topic is reopened. If your circumstances have not changed please follow the ComboFix instructions. Link to post Share on other sites More sharing options...
Droopy Posted October 21, 2008 Author ID:31758 Share Posted October 21, 2008 OK thanks I will use ComboFix tomorrow. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 21, 2008 ID:31760 Share Posted October 21, 2008 Let's get this done. Running CF takes about 30 seconds. Malware needs to be dealt with in a timely fashon to be effective at all. Link to post Share on other sites More sharing options...
Droopy Posted October 22, 2008 Author ID:31822 Share Posted October 22, 2008 Here is the log :It took about 30 minutes to get the report after CF restart the PC.ComboFix 08-10-21.03 - Pierre 2008-10-22 11:17:24.1 - NTFSx86 NETWORKMicrosoft Link to post Share on other sites More sharing options...
JeanInMontana Posted October 22, 2008 ID:31870 Share Posted October 22, 2008 CF normally runs in about 30 seconds. I am not French and do not read French very well. It's very hard for me to see what is what when you post your logs in French. Please choose English for all logs. Your ComboFix log is not complete either. You either didn't let it finish or you didn't post all the log. This doesn't show me all I need to see. I do see lots of P2P software and you need to remove that if we are to continue. We will not be involved in illegall activities here and unless your paying for whatever your downloading with the P2P it is illegal. See if you can update MBAM and run it and HJT in normal mode. I need feed back on what changes if any have happened. Are you able to boot to normal now an run the system? CF did remove two items. Link to post Share on other sites More sharing options...
Droopy Posted October 23, 2008 Author ID:31967 Share Posted October 23, 2008 Sorry about french but I didn't choose french and I didn't see anywhere where I could choose english.I let CF finish and I did post all the log.As I already mentioned, I had to wait about 30 min to get the log file.About P2P software I don't use it but I cannot remove it.For example, I uninstalled Frostwire and it is impossible to uninstall Shareaza !I still cannot run in normal mode, Vista freeze before I can't start any program.I appreciate your help, thanks. Link to post Share on other sites More sharing options...
Droopy Posted October 24, 2008 Author ID:32095 Share Posted October 24, 2008 What can I do now ?Do you need a new scan ?Thanks in advance for your help. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 24, 2008 ID:32169 Share Posted October 24, 2008 Combo fix produces a HJT log, so since it is not posted you did not post all the log. Perhaps you have the entire system set for French, since you are French that makes sense. If you don't use P2P how did all this get on the machine? Those are all P2P programs. Not just one mind you but 3. Someone uses them and they are illegal to use to get music and video that should be paid for, and most likely how you got infected."{47974CE3-0114-4A3F-AFEA-C4B634D5F5AA}"= UDP:C:\Program Files\uTorrent\uTorrent.exe: Link to post Share on other sites More sharing options...
Droopy Posted October 25, 2008 Author ID:32253 Share Posted October 25, 2008 I didn't say that there were no P2P software installed though I didn't install it myself.I now have exclusive control of the PC.I tried to uninstall all P2P software but didn't succeed.Frostwire : the Frostwire directory doesn't exist in "C:\Program Files"Shareaza : the file "C:\Program Files\Shareaza\Uninstall\uninst0000.dat" doesn't exist. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 27, 2008 ID:32530 Share Posted October 27, 2008 There is nothing in the log that screams malware. If it were ran in normal boot perhaps it would show. The files show in the Panda scan as in program files. They are not dat files they are exe. Link to post Share on other sites More sharing options...
Droopy Posted October 28, 2008 Author ID:32594 Share Posted October 28, 2008 I made a restore to a restore point near when the problem began.I made MBAM and HJT scans :Malwarebytes' Anti-Malware 1.30Database version: 1329Windows 6.0.6000 28/10/2008 0:12:33mbam-log-2008-10-28 (00-12-33).txtScan type: Quick ScanObjects scanned: 47608Time elapsed: 4 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 7Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 0:17:20, on 28/10/2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16711)Boot mode: Safe mode with network supportRunning processes:C:\Windows\Explorer.EXEC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\NOTEPAD.EXEC:\Users\Pierre\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.7sur7.be/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fen Link to post Share on other sites More sharing options...
Droopy Posted October 28, 2008 Author ID:32620 Share Posted October 28, 2008 I forgot to mention that, after rebooting, it still freeze in normal mode before I can run any program. Link to post Share on other sites More sharing options...
JeanInMontana Posted October 28, 2008 ID:32680 Share Posted October 28, 2008 OK so is MBAM scanning in Safe Mode and it removed those items? Can you restore to before the problem? I don't think we can clean the system in Safe Mode. I need to see a HJT log in normal boot, to stand a chance of seeing where and what is running. Link to post Share on other sites More sharing options...
Droopy Posted October 29, 2008 Author ID:32786 Share Posted October 29, 2008 I cannot restore to before the problem? I restored to the earliest point and I still cannot boot normal mode. Link to post Share on other sites More sharing options...
Droopy Posted October 29, 2008 Author ID:32802 Share Posted October 29, 2008 There is svehost.exe in C:\Program Files directory.Isn't it a malware ? Link to post Share on other sites More sharing options...
JeanInMontana Posted October 29, 2008 ID:32806 Share Posted October 29, 2008 Scan the file at www.virustotal.com and see. It may or may not be. I think you should do a reformat. You have serious system damage and or malware that cannot be removed with out a full boot up. Link to post Share on other sites More sharing options...
Droopy Posted October 29, 2008 Author ID:32826 Share Posted October 29, 2008 2/36 reported Cloaked Malware and Corrupted.Win32File (entry point in import table)I have created Vista recovery DVDs, I also think that I will have to reformat.Thank a lot for your help. Link to post Share on other sites More sharing options...
Recommended Posts