Jump to content

Recommended Posts

Hi! This laptop I'm using now used tobe infected with Vista AntiMalware but I have removed it already using the instructions from this link. So I'm surfing the web now using this laptop BUT still showing some weird behaviour like the

(1)AVG Tray Icon is missing in the system tray in Limited account(it's there in the Admin account).

(2)Also I cannot install a third party firewall(I've tried installing Online Armor Free & ZoneAlarm Free) without making the laptop go into a crawl...very very slow...so I'm stuck with Windows Firewall.

(3)Also if I try to open an executable in the Limited account(like Firefox or AVG for example) it would give me a dialog box "What would you like to open with"...followed by enumeration of various legitimate programs...when in fact it should simply open in itself when double-clicked just like how it is in the Admin account.

Here below is the HijackThis log. I hope you help me identify if there are anymore nasties lurking in this laptop.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:33:25, on 26/03/2011

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.19019)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Users\keiko\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/login.php

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O1 - Hosts: ::1 localhost # IPv6

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO

O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll

O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 4999 bytes

When I removed the Vista AntiMalware after running rkill(as per the instruction in the link above) I got this MBAM log(first running, quick scan):

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6171

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19019

25/03/2011 20:40:20

mbam-log-2011-03-25 (20-40-20).txt

Scan type: Quick scan

Objects scanned: 162480

Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 24

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Efraim\AppData\Roaming\defender.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\acs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\agd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\asf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\bbc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\cap.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\cwt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\ddb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\fsa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\grk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\gyn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\gyv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\iyw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\jte.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\kab.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\meg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\nax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\plt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\qxl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\rts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\tgw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\local settings\application data\yio.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And on MBAM second running(Full Scan) I got this:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6171

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19019

25/03/2011 22:44:28

mbam-log-2011-03-25 (22-44-28).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 324340

Time elapsed: 1 hour(s), 47 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\36F1A852\3E688669\MyDll.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\6216A4BD\3E688669\stbyahoo8.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\628759C1\3E688669\stbOLEX.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\A26F7F7\3E688669\stbOL.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\A53562F1\3E688669\aimactivexdll.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\B3AC8875\3E688669\stbMsn.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\C41B8701\3E688669\stbAol.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\D5797E3B\3E688669\stbyahoo9.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\mfilebagide.dll\bag\setup.exe (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\Users\Efraim\AppData\LocalLow\Sun\Java\deployment\cache\6.0\22\31a06d6-109762e3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Efraim\AppData\LocalLow\Sun\Java\deployment\cache\6.0\59\4708a9bb-7e3adba3 (Rogue.Installer) -> Quarantined and deleted successfully.

Currently, when I run MBAM again there'll be no more detections. Running Eset Online Scan also shows no threats found.

Link to post
Share on other sites

Hello WallysBlues! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Step 1

Your database version of Malwarebytes' Anti-Malware is old, so please:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

  • Open HijackThis, click Config, click Misc Tools
  • Click Open Uninstall Manager
  • Click Save List (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please post the following logs:

  • Malwarebytes' Anti-Malware log
  • Add or Remove Programs list
  • a new fresh HiJackThis log

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.