3 replies to this topic

[RCinMS]

Malwarebytes creates the following log after Quick Scan, but the infections listed are not deleted on reboot. any suggestions?

Malwarebytes' Anti-Malware 1.38
Database version: 2306
Windows 5.1.2600 Service Pack 3

6/19/2009 8:17:16 AM
mbam-log-2009-06-19 (08-17-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183896
Time elapsed: 2 hour(s), 29 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51d85c96-bf60-447a-965c-9ef594c58324} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{51d85c96-bf60-447a-965c-9ef594c58324} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\asferro.dll (Trojan.BHO.H) -> Delete on reboot.
c:\documents and settings\administrator.mmc\local settings\temp\rrpdfpcv.dat (Rootkit.Agent) -> Delete on reboot.

[negster22]

Hi and Welcome!

Please follow the directions in this topic on posting a HJT log.
http://www.malwareby...?showtopic=9573

First, clean the clutter:
Download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• 
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antimalware programs by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
  
• Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a complete Rootkit/Malware scan with the ARK program then just copy/paste the "quick scan" results into your reply. Often that alone provides enough information.

Click Exit on the Main menu to close the program.
Download DDS and save it to your desktop from here or here



Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
• Save both reports to your desktop
  
• Please copy and paste both logs into your next reply

===============================================================

Please post a HJT log, ARK.txt and the DDS scan reports

[RCinMS]

Thanks for the information, but the problem has been resolved using UnHackMe.

[negster22]

Thanks for letting us know.