Jump to content

MBAM and DDS/GMER


Recommended Posts

Hello and many thanks for whenever you can find time to help,

I am using Windows Vista. I have Windows Defender, but I have largely relied on Avast Antivirus and MBAM for security. I also use CCleaner. My laptop was infected on 6/4/2011. I have to right click files and select "Run as administrator" because somehow the .exe file association was broken by the infection or my subsequent quarantining and deletion of it.

I keep updating MBAM but its keeps detecting:

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> Quarantined and deleted successfully.

This has happened more than 20 times as I've continued to check it, even with updates to MBAM.

I followed the directions from the "I'm infected - What do I do now?" (http://forums.malwarebytes.org/index.php?showtopic=9573). I am attaching all information as directed.

____________________________________________________

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 7000

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18828

7/1/2011 9:00:58 PM

mbam-log-2011-07-01 (21-00-58).txt

Scan type: Quick scan

Objects scanned: 144300

Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

____________________________________________________

DDS.txt

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_23

Run by Huggies & Quies at 21:10:06 on 2011-07-01

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3061.2177 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\bcmwltry.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\aestsrv.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Users\Huggies & Quies\Desktop\Defogger.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.dell.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\users\huggie~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\pmcrem~1.lnk - c:\users\huggies & quies\appdata\local\pinnacle\tvc\tools\PMCRemoteCtrl.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/45.14/uploader2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{284ECFDE-EEAF-4043-8CC2-A48D3DDDC838} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{57CCF3BA-EF90-4A81-B4B5-B79FA89FCFD1} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\huggies & quies\appdata\roaming\mozilla\firefox\profiles\kw77cinz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\users\huggies & quies\appdata\roaming\move networks\plugins\npqmp071705000014.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-2 307928]

R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};c:\program files\cyberlink\powerdvd dx\000.fcl [2009-1-29 39408]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-1-29 73728]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-2 19544]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-10-2 53592]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-2 42184]

R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-1-29 111616]

S2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2004-11-19 18848]

.

=============== Created Last 30 ================

.

2011-07-02 00:29:55 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{840219b2-204a-4334-870a-773269b72624}\mpengine.dll

2011-07-01 01:05:18 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-06-05 02:02:09 -------- d-----w- c:\users\huggies & quies\appdata\local\VirtualStore

.

==================== Find3M ====================

.

2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

.

============= FINISH: 21:12:17.48 ===============

_____________________________________

attach.zip

MBAM_and_Avast_logs.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please download exeHelper from one of these two places:

http://www.raktor.ne...r/exeHelper.com

http://www.raktor.ne...r/exeHelper.scr

Save it to your Desktop and run it. When it finishes, restart your computer and see if you can run .exe files now.

If so, please update MBAM, run a Quick Scan, and post its log.

Reboot and let me know what issues remain.

Link to post
Share on other sites

First off, many, many thanks. Sorry for my slow response. I'm home from work and was able to download and run exeHelper. *.exe files are up and running again. Malwarebytes was able to update (it would download before and appeared to update but it wasn't able to restart and reinstall the newer version - this time the restart and install went through). The quick scan looked clean (included below).

The only thing that was a bit curious was that I got a popup notifying me that Malwarebytes was blocked at startup by Windows Defender and it asked me if I want to allow it to run. The startup value is:

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

It looks legitimate, but I just wanted to double check.

Here is the MBAM log.

_________________________________________________

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7030

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.19088

7/5/2011 7:43:03 PM

mbam-log-2011-07-05 (19-43-03).txt

Scan type: Quick scan

Objects scanned: 144475

Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

________________________________________________

(Windows Defender description of blocked program)

File Name: mbam.exe

Display Name: Malwarebytes' Anti-Malware

Description: Malwarebytes' Anti-Malware

Publisher: Malwarebytes Corporation

Digitally Signed By: VeriSign Class 3 Code Signing 2010 CA

File Type: Application

Startup Value: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

File Path: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

File Size: 1047656

File Version: 1.51.0.1074

Date Installed: 10/4/2010 4:50:58 PM

Startup Type: Registry: Local Machine

Location: Software\Microsoft\Windows\CurrentVersion\Run

Classification: Permitted

Ships with Operating System: No

_________________________________________________

(Windows Defender description of running Malwarebytes program)

File Name: mbamgui.exe

Display Name: Malwarebytes' Anti-Malware

Description: Malwarebytes' Anti-Malware

Publisher: Malwarebytes Corporation

Digitally Signed By: VeriSign Class 3 Code Signing 2010 CA

File Type: Application

Startup Value: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

File Path: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

File Size: 449584

File Version: 1.51.0.0038

Date Installed: 10/4/2010 4:51:00 PM

Startup Type: Registry: Local Machine

Location: Software\Microsoft\Windows\CurrentVersion\RunOnce

Classification: Permitted

Ships with Operating System: No

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.