Jump to content

Malwarebytes

MBAM & HijackThis not running

- - - - -
Started by flamesoflife, Jul 30 2009 12:52 PM

7 replies to this topic

#1
flamesoflife
Posted 30 July 2009 - 12:52 PM

    New Member

  • Members
  • Pip
  • 3 posts
OK, I seem to have gotten some nasty malware. It all started a couple weeks ago with PC Security 2009. Symptoms include unwanted popups, unwanted audio tracks in the background, and slowing down of my system. Also, I have yet to get any brand of anti-spyware to run since becoming infected. What has been happening is that I am completely able to download and install the anti-spyware programs. Before running any scans I go through and kill processes that are unneccessary or possibly malicious. However, upon running anti-malware scans, all anti-malware programs will futz out in the middle and from that point on I am then unable to do anything with those programs. I receive an error message that reads "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This is currently happening with both MBAM and HijackThis. I have attempted to rename the installation files as well as the program files, but it always does the same thing. In an effort to be thorough before I posted, I also went ahead and downloaded RootRepeal to look for rootkits but didn't find any that I am aware of. Right now I am stumped and getting frustrated. Any assistance with getting MBAM up and running so I can clean out my system would be appreciated.

-David

#2
flamesoflife
Posted 03 August 2009 - 01:10 PM

    New Member

  • Members
  • Pip
  • 3 posts
It's been 4 days with no response from here, so I figured I would try something new. I ran ComboFix, then reinstalled MBAM and HJT. Both now run properly. Below are the logs from ComboFix, MBAM, and HJT. Assistance would still be greatly appreciated, as the pre-ComboFix versions of the MBAM & HJT .exe files are locked on my system and I am unable to delete them.

ComboFix 09-08-02.04 - David 08/03/2009 6:33.1.1 - NTFSx86
Running from: c:\documents and settings\David\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\David\LOCALS~1\Temp\services.exe
c:\docume~1\David\LOCALS~1\Temp\svchost.exe
c:\docume~1\David\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\David\Local Settings\Temporary Internet Files\awymow.dat
c:\documents and settings\David\Local Settings\Temporary Internet Files\udujefex.vbs
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101464853.dat
c:\windows\0101120101465749.dat
c:\windows\0101120101465752.dat
c:\windows\bf23567.dat
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\560c932.msi
c:\windows\Installer\6525df2.msi
c:\windows\Installer\6525df5.msi
c:\windows\system32\_scui.cpl
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wisdstr.exe
c:\windows\th823567.dat

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP406\A0067306.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP387\A0058950.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 11:49 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-31 12:39 . 2009-07-31 12:38 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-30 12:37 . 2009-07-30 12:37 -------- d-----w- c:\program files\Trend Micro
2009-07-30 12:23 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 12:23 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 12:23 . 2009-07-30 12:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 10:35 . 2009-07-30 10:35 0 ----a-w- c:\documents and settings\David\settings.dat
2009-07-30 09:10 . 2009-07-30 09:10 3775176 ----a-w- c:\temp\mb setup.exe
2009-07-28 12:25 . 2009-07-28 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-28 12:19 . 2009-07-28 12:19 -------- d-----w- c:\program files\STOPzilla!
2009-07-28 12:19 . 2009-07-28 12:19 -------- d-----w- c:\program files\Common Files\iS3
2009-07-28 12:19 . 2009-08-03 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-20 19:57 . 2009-07-20 19:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 19:56 . 2009-07-20 19:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 19:56 . 2009-07-20 19:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-14 10:09 . 2009-07-14 10:09 1 ---h--w- c:\windows\jmmark2.dat
2009-07-14 10:01 . 2009-07-14 10:01 -------- d-----w- c:\docume~1\David\APPLIC~1\Malwarebytes
2009-07-14 10:01 . 2009-07-14 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 09:21 . 2009-07-14 09:21 -------- d--h--w- c:\windows\PIF
2009-07-14 08:40 . 2009-07-14 08:40 -------- d-----w- c:\program files\Enigma Software Group
2009-07-14 07:35 . 2009-07-14 07:35 11027 ----a-w- c:\documents and settings\David\Local Settings\Application Data\epope.dll
2009-07-14 07:35 . 2009-07-14 07:35 14998 ----a-w- c:\documents and settings\All Users\Application Data\nujahe.scr
2009-07-14 07:35 . 2009-07-14 07:35 15432 ----a-w- c:\documents and settings\All Users\Application Data\abegag.dll
2009-07-14 07:35 . 2009-07-14 07:35 14292 ----a-w- c:\windows\system32\ujij.sys
2009-07-14 07:35 . 2009-07-14 07:35 10701 ----a-w- c:\documents and settings\David\Local Settings\Application Data\afupecyd.exe
2009-07-09 20:52 . 2009-07-09 20:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 20:52 . 2009-07-09 20:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 20:51 . 2009-07-09 20:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 20:51 . 2009-07-09 20:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 20:51 . 2009-07-09 20:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 20:50 . 2009-07-09 20:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 20:50 . 2009-07-09 20:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 20:50 . 2009-07-09 20:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 20:47 . 2009-07-09 20:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-06 07:19 . 2009-07-06 07:19 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Yahoo
2009-07-06 07:06 . 2009-07-06 07:06 262144 ----a-w- C:\ntuser.dat
2009-07-06 07:05 . 2009-07-06 07:11 -------- d-----w- c:\docume~1\David\APPLIC~1\Yahoo!
2009-07-06 07:03 . 2009-05-27 00:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 08:55 . 2008-08-11 17:42 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 12:38 . 2004-10-06 03:30 -------- d-----w- c:\program files\Java
2009-07-28 12:27 . 2005-02-11 13:14 103040 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-28 10:56 . 2008-04-22 19:28 -------- d-----w- c:\program files\Full Tilt Poker
2009-07-16 08:09 . 2008-06-04 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 08:22 . 2009-05-25 04:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-14 07:35 . 2009-07-14 07:35 12817 ----a-w- c:\docume~1\David\APPLIC~1\ogesyp.exe
2009-07-14 07:35 . 2009-07-14 07:35 19157 ----a-w- c:\docume~1\David\APPLIC~1\moqewas.sys
2009-07-14 07:35 . 2009-07-14 07:35 14858 ----a-w- c:\docume~1\David\APPLIC~1\avatu.vbs
2009-07-13 06:15 . 2007-09-11 07:08 -------- d-----w- c:\program files\Absolute Poker
2009-07-06 07:15 . 2007-02-27 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-07-06 07:06 . 2005-02-11 15:57 -------- d-----w- c:\program files\Yahoo!
2009-07-06 07:06 . 2007-02-27 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-03 00:24 . 2008-04-22 03:31 -------- d-----w- c:\program files\PokerStars
2009-06-23 00:34 . 2009-05-25 04:53 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2009-06-13 08:30 . 2009-06-13 08:30 -------- d-----w- c:\docume~1\David\APPLIC~1\Playrix Entertainment
2009-06-03 23:23 . 2009-06-03 23:23 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-12 19:13 . 2009-05-12 19:13 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-19 68856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-02-02 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 148888]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-03-03 143360]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 131072]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-19 196608]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-04-05 950272]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"HostManager"="c:\program files\Common Files\AOL\1190763717\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-11-19 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-12-15 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Utility Tray.lnk - c:\windows\SYSTEM32\sistray.exe [2004-10-5 335872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1190763717\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg;c:\windows\SYSTEM32\DRIVERS\SZKG.sys [5/12/2009 2:13 PM 61328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/15/2008 3:58 PM 24652]
R3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [10/5/2004 10:39 PM 23888]
.
Contents of the 'Scheduled Tasks' folder

2009-07-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-02-11 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 10:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\David\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 06:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3064)
c:\progra~1\mcafee.com\vso\McVSSkt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\VSO\mcvsrte.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-08-03 7:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 12:20

Pre-Run: 12,340,834,304 bytes free
Post-Run: 13,244,264,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

253 --- E O F --- 2009-08-03 11:14




Malwarebytes' Anti-Malware 1.39
Database version: 2549
Windows 5.1.2600 Service Pack 2

8/3/2009 7:38:19 AM
mbam-log-2009-08-03 (07-38-19).txt

Scan type: Quick Scan
Objects scanned: 98408
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\jmmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:23 AM, on 8/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1190763717\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Malwarebytes' Anti-Malware\stealth.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\program files\stopzilla!\sziebho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1190763717\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: IMVU.lnk = C:\Documents and Settings\David\Application Data\IMVUClient\IMVUClient.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\David\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\David\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\David\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Coffee%20Rush/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11914 bytes

#3
AdvancedSetup
Posted 07 August 2009 - 09:52 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Sorry for the long delay, if you still need help please let me know
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#4
flamesoflife
Posted 07 August 2009 - 03:45 PM

    New Member

  • Members
  • Pip
  • 3 posts
Thanks for the response. I am fairly sure I've gotten rid of the malware that was causing the original problem after running ComboFix and re-running MBAM and HJT. At least, I haven't noticed any of the popups or audio that I was getting before and follow-up MBAM scans have been coming up clean. However, it did leave the residual problem of being unable to delete the original named versions of MBAM and HJT's .exe files. Whenever I try to delete those I get an error message that reads "Cannot delete HijackThis: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." If you could help with the residual cleanup I would appreciate it.

-David

#5
AdvancedSetup
Posted 08 August 2009 - 05:00 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A
[indent]Uninstall ComboFix.exe
  • Click START then RUN
  • Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • [indent]Posted Image[/indent]
  • When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed[/indent]

STEP B
[indent]Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.[/indent]

STEP C
[indent]Uninstall other tools
Please Download OTMoveIt by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.
    NOW please reboot your computer to finish the cleanup process
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#6
AdvancedSetup
Posted 09 August 2009 - 06:26 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
So you all set now?
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#7
AdvancedSetup
Posted 09 August 2009 - 08:42 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Please post a status update on this.

Thanks
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#8
AdvancedSetup
Posted 11 August 2009 - 06:50 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,574 posts
  • Gender:Male
  • Location:US
Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us