Jump to content

HJT and Malwarebytes automatically close


Recommended Posts

I'm having issues with HJT, Malwarebytes, McAfee, and basically any type of virus scan tool. Any time I try to run these they will run for a couple seconds and then automatically close. Then I will try to open the file again and will get the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I have found that I can make this error go away by going to the file properties, then "Security", and then deselect "Full Control Allow" and then reselect it and click apply. Then I can get the program to run again, but it will autmatically close again during the scan.

I've looked at several other posts and it looks like I have some type of Rootkit issue. I'm currently running XP SP2. If anyone can help I would greatly appreciate it!

Thanks...

Link to post
Share on other sites

Hello electronicsns! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Download DDS and save it to your desktop from here or here .

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

I logged into safe mode with networking and ran both files. Each time the program automatically closed after about two seconds.

During my initial research of my problem, I had tried to run a couple scans which were mentioned in other posts. I found a couple, Win32Diag and System Repair Engineer, which would actually output a log file. I thought I'd let you know in case these log files might help with this issue.

Link to post
Share on other sites

If you want to help you don't use the other tools without my instructions. In the other way, I can't help you.

Now:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

I was just letting you know what I had tried before starting this thread and asking for help. I haven't and will not deviate from your instructions as I truly appreciate the help.

I followed the instructions and tried running Combofix, but it would never open. There was a progress bar that showed up on the screen like the program was loading, but the GUI never showed up and the progress bar closed. I checked the C: drive and there was not a log file. I guess the virus is causing the program to close before it gets a chance to run.

Link to post
Share on other sites

First let's try with Malwarebytes' Anti-Malware. Locate to:

C:\Program Files\Malwarebytes' Anti-Malware

Please rename mbam.exe to firefox.exe .

If is not working, try this way:

  1. Please download the following program: Inherit (from sUBs)
  2. Copy Inherit.exe to C:\Program Files\Malwarebytes' Anti-Malware
  3. Drag and drop firefox.exe into Inherit.exe
  4. You will then receive an OK message from Inherit.exe and then press OK

When you successfully run MBAM:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
    [*d-When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post the following logs:

  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log only

Link to post
Share on other sites

I renamed the file to Firefox.exe and it opened just fine. I then performed the other instructions and then performed a Quick Scan. The scan ran for about 12 seconds and then the program closed down. I tried opening the program again and got the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." warning. I then used Inherit.exe and it unlocked the file. I tried to run a Quick Scan again but it automatically closed after a couple seconds. DDS is still not working either.

Link to post
Share on other sites

  • Download OTL to your desktop. Otherwise, try OTL.com or OTL.scr .
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • -When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Once OTL has completed its first scan it will save notepad copies of the scans in the folder that OTL was started from. Unless set to produce an Extras log it will only produce OTL.txt in subsequent scans.

A copy of an OTL fix log is saved in a text file at

  • :\_OTL\Moved Files
    • in most cases this will be C:\_OTL\Moved Files

Link to post
Share on other sites

Okay, let's try with Avira Rescue CD:

http://forum.avira.com/wbb/index.php?page=Thread&threadID=32508

Note: Just check the following:

Select Scan all files

Select Try to repair infected files and Rename files, if they cannot be removed

Select Scan for dialers

Select Scan for joke programs (Jokes)

Select Scan for games

Select Scan for spyware (SPR)

Link to post
Share on other sites

This might be a dumb question, but which Avira product do I need to use to do this? I looked at their download page and there are several options. http://www.avira.com/en/support-download

I assume you are referring to "Avira AntiVir Rescue System" which I will need to burn to a CD, but I just want to be sure I use the correct one. Thanks again for you assistance with this!

Link to post
Share on other sites

OK... I figured out I needed to burn the program to a CD and boot from CD to run the program. It looks like we made some progress as there were issues found. Here is the logfile from the scan.

Avira / Linux Version 1.9.152.0

Copyright © 2010 by Avira GmbH

All rights reserved.

engine set: 8.2.4.170

VDF Version: 7.11.3.198

Scan start time: Tue Feb 22 22:10:11 2011

configuration file: /etc/avira/scancl.conf

WARNING: [unexpected end of file] /media/Devices/sda2/Documents and Settings/LocalService/Application Data/Juniper Networks/Setup/uninstallOCX.exe

WARNING: [unexpected end of file] /media/Devices/sda2/Documents and Settings/NSeymour/Application Data/Juniper Networks/Setup/uninstall.exe

ALERT: [JAVA/Applet.K] /media/Devices/sda2/Documents and Settings/NSeymour/Application Data/Sun/Java/Deployment/cache/6.0/56/723d3038-797377a2 --> prev/monoid.class <<< Contains signature of the Java virus JAVA/Applet.K [archive scan abort]

ALERT: [HIDDENEXT/Crypted] /media/Devices/sda2/Documents and Settings/NSeymour/Desktop/dds.pif <<< Contains signature of the HIDDENEXT/Crypted virus [renamed]

ALERT: [TR/Crypt.XPACK.Gen] /media/Devices/sda2/Documents and Settings/NSeymour/Local Settings/Temp/$inst/temp_0.tmp --> 0 <<< Is the Trojan horse TR/Crypt.XPACK.Gen [archive scan abort]

WARNING: [File is encrypted] /media/Devices/sda2/Documents and Settings/NSeymour/My Documents/Work/Computer/Software/Neat Business Cards/NB_Backup_3-31-2008.nbbak

ALERT: [TR/Hiloti.D.3] /media/Devices/sda2/recycler/S-1-5-21-583907252-2139871995-839522115-15910290/Dc11410.tmp <<< Is the Trojan horse TR/Hiloti.D.3 [renamed]

ALERT: [TR/Kazy.11117] /media/Devices/sda2/recycler/S-1-5-21-583907252-2139871995-839522115-15910290/Dc11414.tmp <<< Is the Trojan horse TR/Kazy.11117 [renamed]

ALERT: [TR/Hiloti.D.4] /media/Devices/sda2/recycler/S-1-5-21-583907252-2139871995-839522115-15910290/Dc11415.tmp <<< Is the Trojan horse TR/Hiloti.D.4 [renamed]

ALERT: [TR/Dldr.Carberp.C.35] /media/Devices/sda2/recycler/S-1-5-21-583907252-2139871995-839522115-15910290/Dc11416.tmp <<< Is the Trojan horse TR/Dldr.Carberp.C.35 [renamed]

ALERT: [Java/Agent.GO] /media/Devices/sda2/recycler/S-1-5-21-583907252-2139871995-839522115-15910290/Dc12082.tmp --> a1e8.class <<< Contains signature of the Java virus JAVA/Agent.GO [archive scan abort]

WARNING: [unexpected end of file] /media/Devices/sda2/WINDOWS/system32/Macromed/Flash/uninstall_activeX.exe

ALERT: [TR/Dropper.Gen] /media/Devices/sda2/WINDOWS/system32/eventlog.dll <<< Is the Trojan horse TR/Dropper.Gen [renamed]

WARNING: [unexpected end of file] /media/Devices/sda2/GTK/uninst.exe

WARNING: [File is encrypted] /media/Devices/sda2/Program Files/AT&T/Communication Manager/ATTMultiMode.skx

WARNING: [File is encrypted] /media/Devices/sda2/Program Files/AT&T/Communication Manager/ATT_OEM.skx

WARNING: [unexpected end of file] /media/Devices/sda2/Program Files/TiEmu/uninst.exe

Statistics :

Directories............... : 17083

Archives.................. : 2041

Files..................... : 918350

Infected.............. : 9

Renamed........... : 9

Warnings.............. : 8

Suspicious............ : 0

Infections................ : 9

Link to post
Share on other sites

Good deal. DDS was actually able to run this time. Here are the log files:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

==== Disk Partitions =========================

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer

Adobe Acrobat 8 Standard - English, Fran

Link to post
Share on other sites

Here's the other one:

DDS (Ver_10-12-12.02) - NTFSx86

Run by NSeymour at 17:15:56.85 on Wed 02/23/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://hub.slb.com/integration

uDefault_Page_URL = hxxp://hub.slb.com/integration

uInternet Connection Wizard,ShellNext = hxxp://saba.web.miswaco.com/Saba/Web/Smith

uInternet Settings,ProxyOverride = <local>;*.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] ; "c:\program files\messenger\Msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

uRun: [i-Handbook] c:\program files\schlumberger\i-handbook\i-Handbook.exe /i

uRun: [infuzer] ; c:\program files\trondent development corp\infuzer\Infuzer.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [VX6000] c:\windows\vVX6000.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [<NO NAME>]

mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a

mRun: [MicVol] "c:\windows\system32\MicVol25.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware-new\Firefox.exe" /runcleanupscript

dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monste~1.lnk - c:\program files\monster\monster central control software 7\MonsterRemote.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: bmnet.dll

Trusted Zone: accenture.com

Trusted Zone: atbalance.com

Trusted Zone: atosorigin-asp.com

Trusted Zone: books24x7.com

Trusted Zone: dell.com

Trusted Zone: geoquest.com

Trusted Zone: intouchsupport.com

Trusted Zone: iperceptions.com

Trusted Zone: microsoft.com

Trusted Zone: miswaco.com\*.prod

Trusted Zone: miswaco.com\*.web

Trusted Zone: mydexa.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: slb.com

Trusted Zone: westerngeco.com

Trusted Zone: accenture.com

Trusted Zone: atbalance.com

Trusted Zone: atosorigin-asp.com

Trusted Zone: books24x7.com

Trusted Zone: dell.com

Trusted Zone: geoquest.com

Trusted Zone: intouchsupport.com

Trusted Zone: iperceptions.com

Trusted Zone: microsoft.com

Trusted Zone: miswaco.com\*.prod

Trusted Zone: miswaco.com\*.web

Trusted Zone: mydexa.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: slb.com

Trusted Zone: westerngeco.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269700035518

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269700027503

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} - hxxp://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2011-02-23 05:56:31 54016 ----a-w- c:\windows\system32\drivers\irjy.sys

2011-02-22 16:48:00 -------- d-----w- c:\windows\ms

2011-02-22 16:28:45 -------- d-----w- C:\32788R22FWJFW.4.tmp

2011-02-21 19:37:00 -------- d-----w- c:\windows\system32\DRM

2011-02-21 18:12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware-New

2011-02-21 17:29:35 -------- d-----w- C:\32788R22FWJFW.3.tmp

2011-02-21 17:26:05 -------- d-----w- C:\32788R22FWJFW.2.tmp

2011-02-21 17:24:52 -------- d-----w- C:\32788R22FWJFW.1.tmp

2011-02-20 16:51:03 -------- d--h--w- c:\windows\PIF

2011-02-20 16:21:39 -------- d-----w- C:\32788R22FWJFW.0.tmp

2011-02-20 15:31:24 -------- d-----w- C:\RootRepeal

2011-02-20 08:44:26 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-02-20 08:44:26 -------- d-----w- c:\windows\system32\wbem\Repository

2011-02-20 08:36:56 -------- d-----w- C:\32788R22FWJFW(2)

2011-02-10 02:45:15 -------- d-----w- c:\program files\Bonjour

2011-02-04 22:05:27 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\Mozilla

2011-02-04 22:03:44 -------- d-----w- c:\program files\Mozilla Firefox(2)

2011-02-04 21:24:22 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\{11D6F7DC-0992-4B82-865C-DDB847714B51}

2011-02-04 19:32:51 0 ----a-w- c:\windows\Vsejakadik.bin

2011-02-04 19:32:49 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\{DE976AB5-EA46-494C-95F6-F1271D202971}

2011-01-25 01:31:27 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\Western Digital

==================== Find3M ====================

2010-12-28 22:27:19 5307423 ----a-w- c:\windows\FramePkg.exe

============= FINISH: 17:17:37.23 ===============

Link to post
Share on other sites

Good! :)

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5868

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

2/24/2011 10:21:34 AM

mbam-log-2011-02-24 (10-21-34).txt

Scan type: Quick scan

Objects scanned: 221332

Time elapsed: 51 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\recycler\s-1-5-21-583907252-2139871995-839522115-15910290\dc11416.tmp.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

DDS (Ver_10-12-12.02) - NTFSx86

Run by NSeymour at 10:43:44.32 on Thu 02/24/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://hub.slb.com/integration

uDefault_Page_URL = hxxp://hub.slb.com/integration

uInternet Connection Wizard,ShellNext = hxxp://saba.web.miswaco.com/Saba/Web/Smith

uInternet Settings,ProxyOverride = <local>;*.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] ; "c:\program files\messenger\Msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

uRun: [i-Handbook] c:\program files\schlumberger\i-handbook\i-Handbook.exe /i

uRun: [infuzer] ; c:\program files\trondent development corp\infuzer\Infuzer.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [VX6000] c:\windows\vVX6000.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [<NO NAME>]

mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a

mRun: [MicVol] "c:\windows\system32\MicVol25.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [niDevMon] c:\program files\national instruments\ni-daq\hwconfig\nidevmon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monste~1.lnk - c:\program files\monster\monster central control software 7\MonsterRemote.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\ica client\pnagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: bmnet.dll

Trusted Zone: accenture.com

Trusted Zone: atbalance.com

Trusted Zone: atosorigin-asp.com

Trusted Zone: books24x7.com

Trusted Zone: dell.com

Trusted Zone: geoquest.com

Trusted Zone: intouchsupport.com

Trusted Zone: iperceptions.com

Trusted Zone: microsoft.com

Trusted Zone: miswaco.com\*.prod

Trusted Zone: miswaco.com\*.web

Trusted Zone: mydexa.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: slb.com

Trusted Zone: westerngeco.com

Trusted Zone: accenture.com

Trusted Zone: atbalance.com

Trusted Zone: atosorigin-asp.com

Trusted Zone: books24x7.com

Trusted Zone: dell.com

Trusted Zone: geoquest.com

Trusted Zone: intouchsupport.com

Trusted Zone: iperceptions.com

Trusted Zone: microsoft.com

Trusted Zone: miswaco.com\*.prod

Trusted Zone: miswaco.com\*.web

Trusted Zone: mydexa.com

Trusted Zone: skillport.com

Trusted Zone: skillsoft.com

Trusted Zone: slb.com

Trusted Zone: westerngeco.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269700035518

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269700027503

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} - hxxp://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2011-02-22 16:48:00 -------- d-----w- c:\windows\ms

2011-02-22 16:28:45 -------- d-----w- C:\32788R22FWJFW.4.tmp

2011-02-21 19:37:00 -------- d-----w- c:\windows\system32\DRM

2011-02-21 18:12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware-New

2011-02-21 17:29:35 -------- d-----w- C:\32788R22FWJFW.3.tmp

2011-02-21 17:26:05 -------- d-----w- C:\32788R22FWJFW.2.tmp

2011-02-21 17:24:52 -------- d-----w- C:\32788R22FWJFW.1.tmp

2011-02-20 16:51:03 -------- d--h--w- c:\windows\PIF

2011-02-20 16:21:39 -------- d-----w- C:\32788R22FWJFW.0.tmp

2011-02-20 15:31:24 -------- d-----w- C:\RootRepeal

2011-02-20 08:44:26 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-02-20 08:44:26 -------- d-----w- c:\windows\system32\wbem\Repository

2011-02-20 08:36:56 -------- d-----w- C:\32788R22FWJFW(2)

2011-02-10 02:45:15 -------- d-----w- c:\program files\Bonjour

2011-02-04 22:05:27 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\Mozilla

2011-02-04 22:03:44 -------- d-----w- c:\program files\Mozilla Firefox(2)

2011-02-04 21:24:22 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\{11D6F7DC-0992-4B82-865C-DDB847714B51}

2011-02-04 19:32:51 0 ----a-w- c:\windows\Vsejakadik.bin

2011-02-04 19:32:49 -------- d-----w- c:\docume~1\nseymour\locals~1\applic~1\{DE976AB5-EA46-494C-95F6-F1271D202971}

==================== Find3M ====================

2010-12-28 22:27:19 5307423 ----a-w- c:\windows\FramePkg.exe

============= FINISH: 10:46:23.74 ===============

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.