Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

mbam will not remove system tools 2011


Recommended Posts

Any help is most appreciated.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:33:41 PM, on 11/22/2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16671)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe

C:\Program Files\Webroot\Security\Current\Framework\WRFrame.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\PC Tools Security\pctsGui.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Wojo\Music\HijackThis (2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.0.0.48\coIEPlg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [PLFSetL] "C:\Windows\PLFSetL.exe"

O4 - HKLM\..\Run: [sNUVCDSM] "C:\Windows\snuvcdsm.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE"

O4 - HKLM\..\Run: [PS2] "C:\Windows\system32\ps2.exe"

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"

O4 - HKLM\..\Run: [igfxTray] "C:\Windows\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"

O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" -s

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bncsaui.exe] "%ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI

O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\RunOnce: [eFeDm01834] C:\ProgramData\eFeDm01834\eFeDm01834.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

--

End of file - 8980 bytes

Link to post
Share on other sites

Hi and Welcome -

If the basic program is having trouble removing it , there may be other problems involved - Please read on -

As we do not work on Malware removal or diagnostics in the general forums please follow these directions -

Please print out, read and follow ->What do I do now? , skipping any steps you are unable to complete.

The next step is post a ->New Topic Here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that

you're alerted when someone has replied to your post - Please allow at least 24-48 hours for a reply as the experts can get busy at times -

Also add a brief note to the experts as to your problems -

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or via This Link

Always use the ADD REPLY Tab at the bottom of the page when you reply -

Thank You - :D

023 - Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

This shows several Antivirus applications installed also - Please only use one antivirus on your computer -

(O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe") - and this may be where you caught the infections - Please remove this item -

Link to post
Share on other sites

Any help is most appreciated.

Ok for this fake trojan malwarebytes wont touch it because it registers as regular software.... its basically just a movie file set on a timer to advertise til you buy it . its attached to your Boot file so it automatically runs .... heres how to nix it ..

1. find the system tools icon on your desktop and right click it .... choose the properties option

2. in the icon properties box there will be an address as to where the file is... something like the following:

"C:\documents and settings\application data\Ieiajo1803.exe"

3.Write that address down and reboot your system... use safe mode in windows by hitting the f-8 key on bootup, and selecting safe mode from the list.

4. open the start menu and select my computer

5. select your C: drive

6. open the documents and settings folder

7. on the tools tab at the top of the page there select folder options

8. in the view tab on the options box checkmark view hidden files and folders

9. REMOVE the check in the hide system files box

10 go find the folder that is named in the adress you wrote down above, and delete it .

11. reboot to normal windows and your done ... dont forget to empty your trash can as the file is still in there .

hope this helps .. .i came across this scamware today in my shop and thats how i removed it . I will be making a video tutorial using an infected pc soon.

Link to post
Share on other sites

Ok for this fake trojan malwarebytes wont touch it because it registers as regular software.... its basically just a movie file set on a timer to advertise til you buy it . its attached to your Boot file so it automatically runs .... heres how to nix it ..

1. find the system tools icon on your desktop and right click it .... choose the properties option

2. in the icon properties box there will be an address as to where the file is... something like the following:

"C:\documents and settings\application data\Ieiajo1803.exe"

3.Write that address down and reboot your system... use safe mode in windows by hitting the f-8 key on bootup, and selecting safe mode from the list.

4. open the start menu and select my computer

5. select your C: drive

6. open the documents and settings folder

7. on the tools tab at the top of the page there select folder options

8. in the view tab on the options box checkmark view hidden files and folders

9. REMOVE the check in the hide system files box

10 go find the folder that is named in the adress you wrote down above, and delete it .

11. reboot to normal windows and your done ... dont forget to empty your trash can as the file is still in there .

hope this helps .. .i came across this scamware today in my shop and thats how i removed it . I will be making a video tutorial using an infected pc soon.

" Only the strong survive and the ethical hackers shall thrive "

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.