Jump to content

Recommended Posts

Hi, everyone, I've ran MBAM and found 68 infections. I remove them and reboot.

All the actions are listed as delete on reboot.

I reboot, run MBAM and all thos infections are back. I've ran other antimalware tools including AVs (Panda and Kaspersky online), SpybotSD, AdAware, SmitFraudFix, CCleaner and usually I get an alert telling me that the said tool is corrupt. So I've got a sneaking suspicion that the malware is disabling tools that can eliminate it. Either that or they are removed and MBAM is reporting false positives.

I'm running Windows Vista Home Basic on a Lenovo 3000 c200 laptop and all the malware appears to reside in c:\programdata\ but that folder either appears empty or inaccessible.

I'm awaiting assistance on another forum but this behaviour just appears odd to me. It peeves me more so that was my netbanking machine.

So suggestions and what not are welcome.

Link to post
Share on other sites

Thanks

Here's the log

Malwarebytes' Anti-Malware 1.31

Database version: 1469

Windows 6.0.6000

7/12/2008 21:16:37

mbam.txt

Scan type: Quick Scan

Objects scanned: 48276

Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 68

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ProgramData\PC-Antispyware (Rogue.PCAntispyware) -> No action taken. [3857535134305180728670154936347985748481908866837013013627614983807283667837668

566614936143479857484819088668370]

C:\ProgramData\nuvageliqi.bin (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566617986876672707774827415677479]

C:\ProgramData\obyqihyhyn.pif (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566618067908274739073907915817471]

C:\ProgramData\oceme.lib (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661806870787015777467]

C:\ProgramData\odohyd.bat (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666180698073906915676685]

C:\ProgramData\ogax.dll (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566618072668915697777]

C:\ProgramData\wesydyho.sys (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661887084906990738015849084]

C:\ProgramData\wypoworof.scr (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666188908180888083807115846883]

C:\ProgramData\zobijut._sy (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566619180677475868515648490]

C:\ProgramData\zularanyzo.bat (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566619186776683667990918015676685]

C:\ProgramData\redir.dll (Rogue.SpyGuarder) -> No action taken. [3857535134305180728670155281904086668369708313013627614983807283667837668566618

37069748315697777]

C:\ProgramData\spyguarder.exe (Rogue.SpyGuarder) -> No action taken. [3857535134305180728670155281904086668369708313013627614983807283667837668566618

481907286668369708315708970]

C:\ProgramData\services\services.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661847083877

468708461847083877468708415697777]

C:\ProgramData\spooll.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661848180807

77715708970]

C:\ProgramData\Roaming\inst.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661518066787

47972617479848515708970]

C:\ProgramData\temp.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661857078811

5697777]

C:\ProgramData\Twain\Twain.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661538866747

961538866747915708970]

C:\ProgramData\Part Long Boob Idle (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661496683850

14580797201358080670142697770]

C:\ProgramData\oembios.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661807078677

4808415708970]

C:\ProgramData\Mozilla\Firefox\Profiles\main\browserui.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661468091747

77766613974837071808961498380717477708461786674796167838088847083867415697777]

C:\ProgramData\Mozilla\Firefox\Profiles\main\mt_32.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661468091747

777666139748370718089614983807174777084617866747961788564201915697777]

C:\ProgramData\Mozilla\Firefox\Profiles\main\winload.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661468091747

7776661397483707180896149838071747770846178667479618874797780666915697777]

C:\ProgramData\Partner\partner.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661496683857

97083618166838579708315697777]

C:\ProgramData\partner\partner.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661816683857

97083618166838579708315708970]

C:\ProgramData\WinButler\WinButler.exe (Backdoor.Bot) -> No action taken. [3857535134303566687669808083153580851301362761498380728366783766856661567479358

6857770836156747935868577708315708970]

C:\ProgramData\wane.exe (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566618866797015708970]

C:\ProgramData\nazutire.pif (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661796691868574837015817471]

C:\ProgramData\pizehacal.reg (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666181749170736668667715837072]

C:\ProgramData\tazebama\zPharaoh.dat (Worm.Mabezat) -> No action taken. [3857535134305680837815466667709166851301362761498380728366783766856661856691706

766786661914973668366807315696685]

C:\ProgramData\winifixer.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661887479747

17489708315708970]

C:\ProgramData\rojad.inf (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661838075666915747971]

C:\ProgramData\ujysirup.sys (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661867590847483868115849084]

C:\ProgramData\zylogi.pif (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666191907780727415817471]

C:\ProgramData\uhybiful.dll (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661867390677471867715697777]

C:\ProgramData\utywuwunif.dat (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566618685908886888679747115696685]

C:\ProgramData\ybeqato.com (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

68566619067708266858015688078]

C:\ProgramData\pcant.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661816866798

515708970]

C:\ProgramData\szuteved.dll (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661849186857

087706915697777]

C:\ProgramData\Windowsupdate.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661567479698

0888486816966857015708970]

C:\ProgramData\spool.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761498380728366783766856661848180807

715708970]

C:\ProgramData\tmfubwny.dll (Trojan.Vundo) -> No action taken. [3857535134305383807566791555867969801301362761498380728366783766856661857871866

788799015697777]

C:\ProgramData\n.ini (Malware.Trace) -> No action taken. [3857535134304666778866837015538366687013013627614983807283667837668566617915747

974]

C:\ProgramData\uycej.exe (Trojan.Downloader) -> No action taken. [3857535134305383807566791537808879778066697083130136276149838072836678376685666

1869068707515708970]

C:\ProgramData\ydfjo.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566619

06971758015708970]

C:\ProgramData\~tmp.html (Malware.Trace) -> No action taken. [3857535134304666778866837015538366687013013627614983807283667837668566619585788

11573857877]

C:\ProgramData\odbcbase.ocx (Malware.Trace) -> No action taken. [3857535134304666778866837015538366687013013627614983807283667837668566618069676

86766847015806889]

C:\ProgramData\ntos.exe (Backdoor.Proxy) -> No action taken. [3857535134303566687669808083154983808990130136276149838072836678376685666179858

08415708970]

C:\ProgramData\urlredir.cfg (Adware.RightOnAds) -> No action taken. [3857535134303469886683701551747273854879346984130136276149838072836678376685666

1868377837069748315687172]

C:\ProgramData\zeve.db (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666191708770156967]

C:\ProgramData\zaluwysa.vbs (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661916677868890846615876784]

C:\ProgramData\syrux.bat (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661849083868915676685]

C:\ProgramData\ugirelijo.scr (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

685666186727483707774758015846883]

C:\ProgramData\xebywygy._dl (Fake.Dropped.Malware) -> No action taken. [3857535134303966767015378380818170691546667788668370130136276149838072836678376

6856661897067908890729015646977]

C:\ProgramData\syscleaner.exe (Rogue.Installer) -> No action taken. [3857535134305180728670154279848566777770831301362761498380728366783766856661849

0846877706679708315708970]

C:\ProgramData\pcpriv.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

1688183748715708970]

C:\ProgramData\sysdefender.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

49084697071707969708315708970]

C:\ProgramData\tparb.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

58166836715708970]

C:\ProgramData\vhjr.exe (Trojan.Fakealert) -> No action taken. [3857535134305383807566791539667670667770838513013627614983807283667837668566618

773758315708970]

C:\ProgramData\Roaming\Google\visfdw.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566615

1806678747972614080807277706187748471698815708970]

C:\ProgramData\ypetehmx\ehspyxcd.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566619

08170857073788961707384819089686915708970]

C:\ProgramData\srcss.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

48368848415708970]

C:\ProgramData\scrmss.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

4688378848415708970]

C:\ProgramData\shellex.dll (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

473707777708915697777]

C:\ProgramData\shellex_old.dll (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

47370777770896480776915697777]

C:\ProgramData\zifgfehy.dll (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566619

17471727170739015697777]

C:\ProgramData\trant.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

58366798515708970]

C:\ProgramData\wall.htm (Rogue.SunshineSpy) -> No action taken. [3857535134305180728670155286798473747970528190130136276149838072836678376685666

18866777715738578]

C:\ProgramData\ppldr.exe (Trojan.FakeAlert) -> No action taken. [3857535134305383807566791539667670347770838513013627614983807283667837668566618

18177698315708970]

mbam2.txt

mbam2.txt

Link to post
Share on other sites

I sent a PM to one of the devs who works on the definitions and left him a link to this post. He should be here to help you out once he gets online. I'm going to bed now, but if no one has responded by this evening when I get up, I'll PM someone else to make sure you get the help you need. To make sure you are clean and this isn't some kind of nasty regenerating rootkit you can read the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7

One of the malware removal experts will have a look and instruct you on cleaning it out, but I still think there's something funky going on and will still pursue getting one of the developers to look into this for you. Sorry about all the waiting but this forum is pretty busy as you can probably tell. Thank you for your patience and allowing me to help you out. :)

Link to post
Share on other sites

Hello again Mad Dog Vee! Excellent, you'll get the help you need there, just be patient as they're always busy in there. So much malware so little time :angry: Also, please post a link here from the other web site you are receiving help on explaining as much if you are getting help from an expert elsewhere so the expert that helps you in our HijackThis forum can see what's been done so far and doesn't do more harm than good, thanks. And please feel free to ask if you need any more assistance. Good luck and safe surfing. :angry:

Link to post
Share on other sites

I believe I'm clean of Malware, its not that MBAM didn't work, I had a corrupt system disk, a chkdsk in safe, normal or reboot mode would fizzle out but there was something about repairing it in the Lenovo Rescue and Recovery, that seems to have fixed the Malware.

I've posted 6 current versions of MBAM logs over here: http://www.malwarebytes.org/forums/index.p...amp;#entry39757.

My only worry now is Browser problems so, if someone could just quickly make sure the MBAM logs are accurate and someone could run me down what to do with HiJackThis if anything. The original RSIT log is in the initial post on the other link and the standard HiJackThis is in the most recent post.

If there is anyway I can quickly facilitate this please let me know.

PS. I know volunteers tend to look for 0 replies in the help thread and that I replied to my own making it appeared worked on but I don't have a lot of patience with my own machines, someone else's on the other hand...(provided they're not looking over my shoulder :))

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.