Jump to content

Malwarebytes wont get rid of this one


Recommended Posts

Alright I already had malwarebytes installed on most of the computers at work because some of the employees have been having trouble contracting malware from time to time. So when I went to open in safe mode the computer is blocked from doing so. It just says that the password is not correct. I then logged on as a different user and ran a quick scan with malwarebytes. It detected 6 infections Hijack.StartMenuInternet x 3 and Pum.Disable.SecurityCenter x 3. So when I attempted to remove the infections the computer said "Your computer needs to be restarted to complete the removal process." I then clicked OK and the computer restarted. When I logged back in I ran Malwarebytes again to confirm that it was gone. After another quick scan the exact same infections reappeared, and upon removal the same message. So thinking that the malware was blocking the removal of itself I uploaded rkill and tried to run it with no luck. Rkill simply said Preparing rkill... and then saying access denied before bleeping off so to speak. I then also tried removing just the Hijack.StartMenuInternet infections which I'm pretty sure is what disabled my safemode ability. It says it removed them but then trying to go into safe mode directly after the same message pops up. Any suggestions as to how to remove this persistent malware? Please help! My mbam log looks like this...

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6593

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2011-06-15 5:49:14 PM

mbam-log-2011-06-15 (17-49-14).txt

Scan type: Quick scan

Objects scanned: 125964

Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\tech\Local Settings\Application Data\gut.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\tech\Local Settings\Application Data\gut.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\tech\Local Settings\Application Data\gut.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.