lcander Posted January 9, 2010 ID:181989 Share Posted January 9, 2010 On a Dell XP machine I am working on which was so badly infected, I had to use the restore feature, Mbam seems to be having a problem completely removing some infected objects. It seems to continue to report 68 'infections' even after choosing to 'remove selected' objects and restarting. The anti-virus/anti-spyware program that is installed,along with other 'cleaning' programs reports the machine is clean, but every time I run Mbam it keeps reporting that these same 68 infected objects are there. I have uninstalled and reloaded Mbam.I originally posted this issue on Geek Police which is where I first learned about Mbam. The entire thread with all the steps I've tried, in addition to the logs, is here: http://www.geekpolice.net/virus-spyware-ma...ults-t17796.htm The mod there suggested my posting here.After following the directions in the 'What do I do now' listing, here are the logs that were asked for. Hope I include everything correctly.MBAMMalwarebytes' Anti-Malware 1.44Database version: 3523Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/9/2010 8:51:17 AMmbam-log-2010-01-09 (08-51-17).txtScan type: Quick ScanObjects scanned: 111270Time elapsed: 9 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 68Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\Config\Windows.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\messenger.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\6to4nt.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\firewall.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\htco.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\msch24.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\mswinsck.ocx (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\RealtekAC.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\sam10.log (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\sysrun.exe (Password.Stealer) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\mcrupdate.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\pcant.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\pkz.ini (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\printer.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\cftmon.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\ftpdll.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\updater.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\Win.exe (IM.Worm) -> Delete on reboot.C:\WINDOWS\repair\1sass.exe (Backdoor.Agent) -> Delete on reboot.C:\WINDOWS\repair\kasutio (Rootkit.Rustock) -> Delete on reboot.C:\WINDOWS\repair\loprt.cmd (Worm.AutoRun) -> Delete on reboot.C:\WINDOWS\repair\Mirror.exe (Worm.AutoRun) -> Delete on reboot.C:\WINDOWS\repair\sql.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\repair\whw.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\repair\IExp1orer.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\ntload.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.DDSDDS (Ver_09-12-01.01) - NTFSx86 Run by Bob at 10:13:16.40 on Sat 01/09/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.168 [GMT -6:00]AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exesvchost.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exeC:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exeC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\CA\CA Internet Security Suite\casc.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exeC:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-7.0.0.517\QOELoader.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\CA\CA Internet Security Suite\ccprovsp.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Bob\My Documents\Downloads\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.dell4me.com/mywayBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dllTB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dllEB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dlluRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startupuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgroundmRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exemRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [dla] c:\windows\system32\dla\tfswctrl.exemRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exemRun: [cctray] c:\program files\ca\ca internet security suite\casc.exemRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"mRun: [cafw] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -clmRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exemRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exemRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-7.0.0.517\QOELoader.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllLSP: c:\windows\system32\VetRedir.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabNotify: igfxcui - igfxdev.dllNotify: PFW - UmxWnp.DllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\7cicuvr9.default\FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024]R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-4-1 73720]R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2009-4-28 55288]R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2009-6-8 115704]R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2009-6-8 145912]R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2009-3-27 58872]R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-4-1 205304]=============== Created Last 30 ================2010-01-09 16:06:16 0 ----a-w- c:\documents and settings\bob\defogger_reenable2010-01-09 15:02:49 0 ----a-w- c:\windows\access.tmp2010-01-09 00:42:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-01-09 00:42:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2010-01-09 00:42:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-01-07 02:16:02 0 d-sha-r- C:\cmdcons2010-01-07 02:14:09 98816 ----a-w- c:\windows\sed.exe2010-01-07 02:14:09 77312 ----a-w- c:\windows\MBR.exe2010-01-07 02:14:09 261632 ----a-w- c:\windows\PEV.exe2010-01-07 02:14:09 161792 ----a-w- c:\windows\SWREG.exe2010-01-07 02:13:47 0 d-----w- C:\commy2010-01-05 00:15:55 0 d-----w- c:\program files\Spybot - Search & Destroy2010-01-05 00:15:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2010-01-04 21:06:08 0 d-----w- c:\program files\CCleaner2010-01-04 17:37:13 0 d-----w- c:\program files\Windows Media Connect 22010-01-04 17:33:44 0 d-----w- c:\windows\system32\LogFiles2010-01-04 16:39:48 0 d-----w- c:\docume~1\bob\applic~1\Malwarebytes2010-01-04 16:39:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-01-04 06:16:26 0 d-----w- c:\program files\MSXML 4.02010-01-04 05:37:23 471552 ------w- c:\windows\system32\dllcache\aclayers.dll2010-01-04 00:48:34 0 d-----w- c:\windows\system32\scripting2010-01-04 00:48:32 0 d-----w- c:\windows\l2schemas2010-01-04 00:48:30 0 d-----w- c:\windows\system32\en2010-01-04 00:48:29 0 d-----w- c:\windows\system32\bits2010-01-04 00:35:53 0 d-----w- c:\windows\network diagnostic2010-01-04 00:22:32 0 d-----w- c:\windows\EHome2010-01-04 00:13:46 0 d-sh--w- c:\documents and settings\bob\IECompatCache2010-01-04 00:12:51 0 d-sh--w- c:\documents and settings\bob\PrivacIE2010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k72010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k62010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k52010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k42010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k32010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k22010-01-04 00:10:49 28 ----a-w- c:\windows\system32\drivers\kmxzone.u2k12010-01-04 00:10:49 148 ----a-w- c:\windows\system32\drivers\kmxzone.u2k02010-01-04 00:10:18 0 d-sh--w- c:\documents and settings\bob\IETldCache2010-01-04 00:09:04 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k72010-01-04 00:09:04 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k62010-01-04 00:09:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k52010-01-04 00:09:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k42010-01-04 00:09:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k32010-01-04 00:09:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k22010-01-04 00:09:03 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k12010-01-04 00:09:03 575416 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k02010-01-03 23:59:20 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll2010-01-03 23:59:20 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll2010-01-03 23:59:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll2010-01-03 23:59:19 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll2010-01-03 23:59:19 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll2010-01-03 23:59:19 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll2010-01-03 23:59:06 0 d-----w- c:\windows\ie8updates2010-01-03 23:58:50 92160 ------w- c:\windows\system32\dllcache\iecompat.dll2010-01-03 23:57:20 0 dc-h--w- c:\windows\ie82010-01-03 23:42:53 0 d-----w- c:\windows\ServicePackFiles2010-01-03 23:28:38 73216 ------w- c:\windows\system32\drivers\atintuxx.sys2010-01-03 23:17:46 0 d-----w- c:\program files\ISSThirdParty2010-01-03 23:13:08 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys2010-01-03 23:13:08 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys2010-01-03 23:13:08 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys2010-01-03 23:13:08 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys2010-01-03 23:13:08 111856 ----a-w- c:\windows\system32\isafprod.dll2010-01-03 23:13:07 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys2010-01-03 23:13:07 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys2010-01-03 23:12:23 6552 ----a-w- c:\windows\system32\wbem\canvprov.mof2010-01-03 23:12:23 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll2010-01-03 23:08:39 272128 ------w- c:\windows\system32\drivers\bthport.sys2010-01-03 23:08:39 272128 ------w- c:\windows\system32\dllcache\bthport.sys2010-01-03 23:08:38 203136 ------w- c:\windows\system32\dllcache\rmcast.sys2010-01-03 23:08:18 333952 ------w- c:\windows\system32\dllcache\srv.sys2010-01-03 23:08:13 331776 ------w- c:\windows\system32\dllcache\msadce.dll2010-01-03 23:07:42 153088 ------w- c:\windows\system32\dllcache\triedit.dll2010-01-03 23:00:15 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys2010-01-03 22:54:48 1315328 ------w- c:\windows\system32\dllcache\msoe.dll2010-01-03 22:53:43 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx2010-01-03 22:53:20 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll2010-01-03 22:51:40 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll2010-01-03 22:51:21 0 d-----w- c:\windows\CAVTemp2010-01-03 22:50:18 337408 ------w- c:\windows\system32\dllcache\netapi32.dll2010-01-03 22:50:16 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll2010-01-03 22:50:08 2560 ------w- c:\windows\system32\xpsp4res.dll2010-01-03 22:50:08 1206508 ------w- c:\windows\system32\dllcache\sysmain.sdb2010-01-03 22:50:07 215552 ------w- c:\windows\system32\dllcache\wordpad.exe2010-01-03 22:49:32 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-01-03 22:49:31 411368 ----a-w- c:\windows\system32\deploytk.dll2010-01-03 22:47:22 26144 ----a-w- c:\windows\system32\spupdsvc.exe2010-01-03 22:47:22 0 d-----w- c:\windows\system32\PreInstall2010-01-03 22:46:50 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll2010-01-03 22:46:50 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll2010-01-03 22:05:19 0 d-----w- c:\docume~1\bob\applic~1\CallingID2010-01-03 22:04:45 250544 ----a-w- c:\windows\system32\KeyHelp.ocx2010-01-03 22:04:45 0 d-----w- c:\program files\common files\Scanner2010-01-03 22:04:41 83256 ----a-w- c:\windows\system32\vetredir.dll2010-01-03 22:04:40 99568 ----a-w- c:\windows\system32\isafeif.dll2010-01-03 22:04:34 0 d-----w- c:\docume~1\alluse~1\applic~1\CA2010-01-03 22:04:32 0 d-----w- c:\program files\CA2010-01-03 21:33:33 0 d-----w- c:\docume~1\bob\applic~1\GetRightToGo2010-01-03 21:32:51 0 d-----w- C:\Downloads2010-01-03 21:31:44 4128 ----a-w- C:\INFCACHE.12010-01-03 21:30:16 345600 ------w- c:\windows\system32\dllcache\localspl.dll2010-01-03 21:24:34 2 ----a-w- c:\windows\msoffice.ini2010-01-03 21:23:19 135168 ----a-w- c:\windows\system32\igfxres.dll2010-01-03 21:19:30 0 d-----w- c:\windows\system32\SoftwareDistribution2010-01-03 21:17:06 8192 ----a-w- c:\windows\REGLOCS.OLD==================== Find3M ====================2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll============= FINISH: 10:14:54.84 ===============Attach.zipark.zip Link to post Share on other sites More sharing options...
lcander Posted January 13, 2010 Author ID:183782 Share Posted January 13, 2010 Just checking to see if there was any ideas on this issue since it had been quite some time since my original post. If I have posted the logs incorrectly, please let me know.Thanks Link to post Share on other sites More sharing options...
Staff screen317 Posted January 14, 2010 Staff ID:184108 Share Posted January 14, 2010 Hi and welcome to Malwarebytes.Confirm that the files detected by MBAM actually exist please.Next, update MBAM. Close the program.Navigate to Start --> Run, and enter this command:mbam.exe /developerMBAM will open. Run a Quick Scan from there and post its log here.-screen317 Link to post Share on other sites More sharing options...
lcander Posted January 15, 2010 Author ID:184282 Share Posted January 15, 2010 Thanks for checking in on my thread.No--I am not able to find these files in the locations that the logs indicate. That has been the issue I have been trying to get solved. I had Mbam 'fix the selected infections' and rebooted as asked. But when I would run it again the same 68 infections would be listed. The same result if I ran a full scan.Here is the log of the most recent scanMalwarebytes' Anti-Malware 1.44Database version: 3568Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/15/2010 12:28:59 AMmbam-log-2010-01-15 (00-28-59).txtScan type: Quick ScanObjects scanned: 112382Time elapsed: 8 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 68Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\Config\Windows.exe (Trojan.Agent) -> Delete on reboot. [D659EFA6942CC6EAA53924B4020CED34]C:\WINDOWS\system32\Config\messenger.exe (Trojan.Agent) -> Delete on reboot. [46136D659EF20577825A4ABEAF48213B]C:\WINDOWS\system32\Config\6to4nt.dll (Trojan.Agent) -> Delete on reboot. [F1D8F0DA40AD4873EABD992E0DB29856]C:\WINDOWS\system32\Config\firewall.exe (Backdoor.Bot) -> Delete on reboot. [3FAFDD7DE4B00D21C061C4A539ABD71B]C:\WINDOWS\system32\Config\htco.exe (Backdoor.Bot) -> Delete on reboot. [F7A28EC3DD3B1A4C5DC197EF70F3E982]C:\WINDOWS\system32\Config\msch24.exe (Trojan.Agent) -> Delete on reboot. [FE02236FBC9EC55A666C71DCFDB6FBE4]C:\WINDOWS\system32\Config\mswinsck.ocx (Backdoor.Bot) -> Delete on reboot. [D6D93A3D2BE6D5460F8C80DB650F94CF]C:\WINDOWS\system32\Config\RealtekAC.exe (Trojan.Agent) -> Delete on reboot. [D17CA7F683CEFB9FE467A4466F6730A0]C:\WINDOWS\system32\Config\sam10.log (Trojan.Agent) -> Delete on reboot. [A01A7307333AC94E3A63F63E88CE0885]C:\WINDOWS\system32\Config\sysrun.exe (Password.Stealer) -> Delete on reboot. [F7E35E4644EB5548C15A415F42DA505F]C:\WINDOWS\system32\Config\Systemprofile\application data\mcrupdate.exe (Trojan.Agent) -> Delete on reboot. [E2E356AF2703415E5C21BF6DBCFDD6F6]C:\WINDOWS\system32\Config\Systemprofile\application data\pcant.exe (Trojan.Agent) -> Delete on reboot. [5EB445BB7A2018AA7823ADCF4E43B9BD]C:\WINDOWS\system32\Config\Systemprofile\application data\pkz.ini (Trojan.Agent) -> Delete on reboot. [8015B0B5355316D57EA3B052A53B3120]C:\WINDOWS\system32\Config\Systemprofile\application data\printer.exe (Trojan.Agent) -> Delete on reboot. [2D11F71940D92E419294D8BE504945FF]C:\WINDOWS\system32\Config\Systemprofile\cftmon.exe (Trojan.Agent) -> Delete on reboot. [24D1C6EAF105AB22D625481882F539CF]C:\WINDOWS\system32\Config\Systemprofile\ftpdll.dll (Trojan.Agent) -> Delete on reboot. [05F89669AEC56840850C6DF9F63F8B10]C:\WINDOWS\system32\Config\updater.exe (Backdoor.Bot) -> Delete on reboot. [7CF08251B01F0B5B75459B71ED7D06D5]C:\WINDOWS\system32\Config\Win.exe (IM.Worm) -> Delete on reboot. [36692B15CB7CE39B1FA74D5974F72340]C:\WINDOWS\repair\1sass.exe (Backdoor.Agent) -> Delete on reboot. [DF4F5A9F044BEB010E14E387DFF29C1E]C:\WINDOWS\repair\kasutio (Rootkit.Rustock) -> Delete on reboot. [858CEAA8A2CF963F8A507B8622DFC829]C:\WINDOWS\repair\loprt.cmd (Worm.AutoRun) -> Delete on reboot. [DF0056D01AABDB31400A51FF392252AD]C:\WINDOWS\repair\Mirror.exe (Worm.AutoRun) -> Delete on reboot. [678F67134998830846884456BE13FE0B]C:\WINDOWS\repair\sql.exe (Trojan.Agent) -> Delete on reboot. [2A2895463CDC1BA061302692D127CB38]C:\WINDOWS\repair\whw.exe (Trojan.Agent) -> Delete on reboot. [EC3215D0302D49CB2A1AF0F410DF4348]C:\WINDOWS\repair\IExp1orer.exe (Trojan.Agent) -> Delete on reboot. [2A63CE1B079F5078052BB4106801A527]C:\WINDOWS\system32\Config\Systemprofile\ntload.dll (Trojan.Agent) -> Delete on reboot. [C3A19DBE3D78A3DBD249A9178BBACD5A]C:\WINDOWS\system32\Config\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [4052004E5985601671D1FCBAF31AB64F]C:\WINDOWS\system32\Config\SystemProfile\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [4052004E5985601671D1FCBAF31AB64F]C:\WINDOWS\system32\Config\SystemProfile\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [4052004E5985601671D1FCBAF31AB64F]C:\WINDOWS\system32\Config\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [DE8D4BED2038223C17462F02B98E70C9]C:\WINDOWS\system32\Config\SystemProfile\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [DE8D4BED2038223C17462F02B98E70C9]C:\WINDOWS\system32\Config\SystemProfile\Application Data\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [DE8D4BED2038223C17462F02B98E70C9]C:\WINDOWS\system32\Config\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [F03D14281BCF8CFD0ADE8F8358A2BD12]C:\WINDOWS\system32\Config\SystemProfile\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [F03D14281BCF8CFD0ADE8F8358A2BD12]C:\WINDOWS\system32\Config\SystemProfile\Application Data\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [F03D14281BCF8CFD0ADE8F8358A2BD12]C:\WINDOWS\system32\Config\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [49635E14F9899F0197654E79F7142A4B]C:\WINDOWS\system32\Config\SystemProfile\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [49635E14F9899F0197654E79F7142A4B]C:\WINDOWS\system32\Config\SystemProfile\Application Data\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [49635E14F9899F0197654E79F7142A4B]C:\WINDOWS\system32\Config\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [2875D733981E73BDFAD359F0E3E66BF9]C:\WINDOWS\system32\Config\SystemProfile\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [2875D733981E73BDFAD359F0E3E66BF9]C:\WINDOWS\system32\Config\SystemProfile\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [2875D733981E73BDFAD359F0E3E66BF9]C:\WINDOWS\system32\Config\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C0308230B1D0F95045056E536EC4A0A9]C:\WINDOWS\system32\Config\SystemProfile\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C0308230B1D0F95045056E536EC4A0A9]C:\WINDOWS\system32\Config\SystemProfile\Application Data\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C0308230B1D0F95045056E536EC4A0A9]C:\WINDOWS\system32\Config\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [5A32C817446474E5613810C48100AD8D]C:\WINDOWS\system32\Config\SystemProfile\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [5A32C817446474E5613810C48100AD8D]C:\WINDOWS\system32\Config\SystemProfile\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [5A32C817446474E5613810C48100AD8D]C:\WINDOWS\system32\Config\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C09CD8141CE56C23F40CC821091491DF]C:\WINDOWS\system32\Config\SystemProfile\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C09CD8141CE56C23F40CC821091491DF]C:\WINDOWS\system32\Config\SystemProfile\Application Data\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [C09CD8141CE56C23F40CC821091491DF]C:\WINDOWS\system32\Config\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [41E83D9B8188A4433728567E07A02B68]C:\WINDOWS\system32\Config\SystemProfile\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [41E83D9B8188A4433728567E07A02B68]C:\WINDOWS\system32\Config\SystemProfile\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [41E83D9B8188A4433728567E07A02B68]C:\WINDOWS\system32\Config\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [837737DA25FE31611D9A3C012A5BC47E]C:\WINDOWS\system32\Config\SystemProfile\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [837737DA25FE31611D9A3C012A5BC47E]C:\WINDOWS\system32\Config\SystemProfile\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [837737DA25FE31611D9A3C012A5BC47E]C:\WINDOWS\system32\Config\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [3EE9951811A79B4DAE236D4ED208888F]C:\WINDOWS\system32\Config\SystemProfile\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [3EE9951811A79B4DAE236D4ED208888F]C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [3EE9951811A79B4DAE236D4ED208888F]C:\WINDOWS\system32\Config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [65EB27B2D72506B688BA161D7BE9DF92]C:\WINDOWS\system32\Config\SystemProfile\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [65EB27B2D72506B688BA161D7BE9DF92]C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [65EB27B2D72506B688BA161D7BE9DF92]C:\WINDOWS\system32\Config\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [0A556900C77FF71B3E608D5934257DD8]C:\WINDOWS\system32\Config\SystemProfile\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [0A556900C77FF71B3E608D5934257DD8]C:\WINDOWS\system32\Config\SystemProfile\Application Data\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [0A556900C77FF71B3E608D5934257DD8]C:\WINDOWS\system32\Config\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [52974D16BCCFA6209534F15F1A589473]C:\WINDOWS\system32\Config\SystemProfile\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [52974D16BCCFA6209534F15F1A589473]C:\WINDOWS\system32\Config\SystemProfile\Application Data\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [52974D16BCCFA6209534F15F1A589473] Link to post Share on other sites More sharing options...
Staff screen317 Posted January 17, 2010 Staff ID:185069 Share Posted January 17, 2010 I'm checking with our developers and will be back with you as soon as possible. Link to post Share on other sites More sharing options...
lcander Posted January 17, 2010 Author ID:185305 Share Posted January 17, 2010 Thank you. I will wait for a reply Link to post Share on other sites More sharing options...
Staff screen317 Posted January 18, 2010 Staff ID:185945 Share Posted January 18, 2010 Try this please:First, update MBAM. Next, please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).Run a Quick Scan from Safe Mode, then post its log.-screen317 Link to post Share on other sites More sharing options...
lcander Posted January 19, 2010 Author ID:186032 Share Posted January 19, 2010 Safe mode may have been the way to solve this. It found only 1 infection this time. Here is the logMalwarebytes' Anti-Malware 1.44Database version: 3596Windows 5.1.2600 Service Pack 3 (Safe Mode)Internet Explorer 8.0.6001.187021/18/2010 9:13:29 PMmbam-log-2010-01-18 (21-13-29).txtScan type: Quick ScanObjects scanned: 111360Time elapsed: 3 minute(s), 33 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
lcander Posted January 19, 2010 Author ID:186047 Share Posted January 19, 2010 Oops--Guess I was a little early in thinking it was cured. I just ran MBam again in regular logon. The same 68 infections appear. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 20, 2010 Staff ID:186566 Share Posted January 20, 2010 Hi,Navigate to Start --> Run, type in cmd.exe and press Enter.A black box will appear.Type in the following:chkdsk /rPress Enter. It will ask if you want to schedule a scan at startup; say yes, then restart your computer. Allow the scan to run to completion.Log in normally, then update and run a Quick Scan with MBAM.-screen317 Link to post Share on other sites More sharing options...
lcander Posted January 21, 2010 Author ID:186890 Share Posted January 21, 2010 Ran the chkdsk /r and them Mbam. Same 68 'infections' were reported. Here is the log again.Malwarebytes' Anti-Malware 1.44Database version: 3604Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/20/2010 6:39:09 PMmbam-log-2010-01-20 (18-39-09).txtScan type: Quick ScanObjects scanned: 113094Time elapsed: 12 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 68Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\Config\Windows.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\messenger.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\6to4nt.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\firewall.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\htco.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\msch24.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\mswinsck.ocx (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\RealtekAC.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\sam10.log (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\sysrun.exe (Password.Stealer) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\mcrupdate.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\pcant.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\pkz.ini (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\application data\printer.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\cftmon.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\ftpdll.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\updater.exe (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\Config\Win.exe (IM.Worm) -> Delete on reboot.C:\WINDOWS\repair\1sass.exe (Backdoor.Agent) -> Delete on reboot.C:\WINDOWS\repair\kasutio (Rootkit.Rustock) -> Delete on reboot.C:\WINDOWS\repair\loprt.cmd (Worm.AutoRun) -> Delete on reboot.C:\WINDOWS\repair\Mirror.exe (Worm.AutoRun) -> Delete on reboot.C:\WINDOWS\repair\sql.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\repair\whw.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\repair\IExp1orer.exe (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\Systemprofile\ntload.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\Config\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\dllhost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Services.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost*.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Userinit.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.C:\WINDOWS\system32\Config\SystemProfile\Application Data\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 21, 2010 Staff ID:186922 Share Posted January 21, 2010 Your security software (CA) is potentially interfering. Could you please try disabling everything and running another Quick Scan? Link to post Share on other sites More sharing options...
lcander Posted January 21, 2010 Author ID:186940 Share Posted January 21, 2010 That may done it. After running it with the CA snoozing and restarting then running again it found nothing. Here is the log after running it again.Malwarebytes' Anti-Malware 1.44Database version: 3604Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187021/20/2010 9:12:18 PMmbam-log-2010-01-20 (21-12-18).txtScan type: Quick ScanObjects scanned: 113267Time elapsed: 9 minute(s), 25 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I'll try running it again with the CA enabled.Thanks for your help. Link to post Share on other sites More sharing options...
lcander Posted January 21, 2010 Author ID:186948 Share Posted January 21, 2010 They're back!!!!! I just ran Mbam again with the anti-virus on and the same 68'infections' are back on the list. Guess disabling the anti-virus didn't help get it cleared out. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 21, 2010 Staff ID:186993 Share Posted January 21, 2010 The point here is that the HIPS protection from your CA software is causing read errors on your hard drive, resulting in the "infections" being detected. This is an issue with CA's product and they need to be contacted about it. Alternatively, consider switching to a different brand of security software. Link to post Share on other sites More sharing options...
lcander Posted January 21, 2010 Author ID:187322 Share Posted January 21, 2010 Thanks, I'll uninstall CA and try something else and then run Mbam again. Will also contact CA about the issue. Link to post Share on other sites More sharing options...
lcander Posted January 22, 2010 Author ID:187430 Share Posted January 22, 2010 I uninstalled CA, updated and ran Mbam. It showed no infections. I then installed a different anti-virus program and re-ran Mbam. It again showed 0 infections. I think you've finally solved this issue.Thanks so much. Link to post Share on other sites More sharing options...
Staff screen317 Posted January 23, 2010 Staff ID:187954 Share Posted January 23, 2010 Great! Anything else I can help with? Link to post Share on other sites More sharing options...
Staff screen317 Posted February 3, 2010 Staff ID:193743 Share Posted February 3, 2010 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts