• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
peppypepsi

Hijacked - can't run any scans

16 posts in this topic

Hi, I seem to have a virus that:

- won't let me open any browser windows - seems to have disabled my LAN

- has inactivated my task manager

- will allow me to run a Symantec full scan (but turns up nothing, even though my virus def's seem up to date - Dec. 25)

- won't let me enter regular safe mode (tells me my password is incorrect)

- does allow me to enter safe mode with networking.

 

I have past success with your forumn and hope you can help me again. I have posted my HJT log below:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:42:42 PM, on 12/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\winupdate86.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stpaulsacademy.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://download.microsoft.com/download/0/a/9/0a9587bc-2dc5-420e-89e0-f74d8b75b128/setup.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"

O4 - HKLM\..\Run: [software Button] "C:\Program Files\Acer soft button\SB.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [strgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

O4 - HKLM\..\Run: [akbjeefj] C:\Documents and Settings\mpacione\Local Settings\Application Data\shsxie\jkoksysguard.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [ygua8e7yhuiesfha876yfauy8fe] C:\DOCUME~1\mpacione\LOCALS~1\Temp\g7im65sxk.exe

O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\mpacione\LOCALS~1\Temp\win32.exe

O4 - HKCU\..\Run: [akbjeefj] C:\Documents and Settings\mpacione\Local Settings\Application Data\shsxie\jkoksysguard.exe

O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=41103&sessionid=1285230867_69.25.47.35_53060&=&req=1159364936347OneCC.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://studentsachieve.webex.com/client/T22L/webex/ieatgpc.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crcs.ad

O17 - HKLM\Software\..\Telephony: DomainName = crcs.ad

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crcs.ad

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINDOWS\Pointdev\VNC\WinVNC.exe

 

--

End of file - 8132 bytes

 

 

****Tried to run TrendMicro scan and others (Spybot, AVG) but all of them are blocked just before running saying "security alert..."..._.exe" is infected and cannot install.

 

Appreciate whatever you can advise as to next step.

Share this post


Link to post
Share on other sites

Hi,

 

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

 

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

 

 

* Please download Malwarebytes' Anti-Malware from Here

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

In case you're having problems with running Malwarebytes (as the malware you are dealing with will probably block it), navigate to your C:\Program Files\Malwarebytes Antimalware folder and find the file mbam.exe in there.

Rename that file to explorer.exe or svchost.exe or winlogon.exe (note, it HAS to be one of these names). Then launch the renamed exe in order to run Malwarebytes.

Share this post


Link to post
Share on other sites

Thanks so much - looks like Malwarebytes did some cleaning up and my computer is now close to being back to normal. I thought it was 100% fine as it is no longer hijacked but I'm not sure if it's 100% fixed so appreciate your thoughts on what you see below:

 

********1. I ran a symantec scan (as I have symantec antivirus 10.0 installed originally) and it did find one Trojan Horse - see notification here:

Scan type: Auto-Protect Scan

Event: Security Risk Found!

Threat: Trojan Horse

File: C:\WINDOWS\system32\mshlps.dll

Location: Quarantine

Computer: CFL-MPACIONE

User: CRCS\SYSTEM

Action taken: Quarantine succeeded : Access denied

Date found: Sunday, December 27, 2009 3:22:31 PM

 

************2. This was the log from Malwarebytes' first scan after finding a number of malware files:

 

Malwarebytes' Anti-Malware 1.42

Database version: 3289

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 7.0.5730.11

 

12/27/2009 12:23:21 AM

mbam-log-2009-12-27 (00-23-21).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 209603

Time elapsed: 22 minute(s), 14 second(s)

 

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 7

Registry Data Items Infected: 12

Folders Infected: 0

Files Infected: 12

 

Memory Processes Infected:

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Unloaded process successfully.

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akbjeefj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\akbjeefj (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\mpacione\Local Settings\Application Data\shsxie\jkoksysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\1a9f1e9e.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

************* #3 - I ran another Malwarebytes scan today after completing all of the above and you can find the log below - does it look to you like the system is still infected?

 

Appreciate all your help...

 

Malwarebytes' Anti-Malware 1.42

Database version: 3289

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

 

12/27/2009 4:48:58 PM

mbam-log-2009-12-27 (16-48-58).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 211564

Time elapsed: 38 minute(s), 38 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

 

 

 

Hi,

 

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.

Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

 

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

 

 

* Please download Malwarebytes' Anti-Malware from Here

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

In case you're having problems with running Malwarebytes (as the malware you are dealing with will probably block it), navigate to your C:\Program Files\Malwarebytes Antimalware folder and find the file mbam.exe in there.

Rename that file to explorer.exe or svchost.exe or winlogon.exe (note, it HAS to be one of these names). Then launch the renamed exe in order to run Malwarebytes.

Share this post


Link to post
Share on other sites

Hi,

 

First of all, please update MalwareBytes, because the databaseversion is outdated.

 

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

In case it won't update, start HijackThis and check and fix the following entry in it (if still present):

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

 

Then, In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

 

Don't forget to post your HijackThislog afterwards as well.

Share this post


Link to post
Share on other sites

Hi:

 

Followed all the steps you provided...thx....including unchecking proxy server setting in IE Tools (internet options setting). Please see fresh HJT and Malware Bytes logs below, in that order (I completed the HJT scan after Malware Bytes scan and forced reboot). Look forward to your suggestion of what if anything needs to be done next...looks like it's still finding junk unfortunately!

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:15:11 AM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Acer soft button\wsbklite.exe

C:\Program Files\Acer soft button\SB.exe

C:\Program Files\Acer\Notebook Manager\almxptray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stpaulsacademy.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://download.microsoft.com/download/0/a/9/0a9587bc-2dc5-420e-89e0-f74d8b75b128/setup.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"

O4 - HKLM\..\Run: [software Button] "C:\Program Files\Acer soft button\SB.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [strgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=41103&sessionid=1285230867_69.25.47.35_53060&=&req=1159364936347OneCC.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://studentsachieve.webex.com/client/T22L/webex/ieatgpc.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crcs.ad

O17 - HKLM\Software\..\Telephony: DomainName = crcs.ad

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crcs.ad

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINDOWS\Pointdev\VNC\WinVNC.exe

 

--

End of file - 8394 bytes

 

 

********************************************

 

Malwarebytes' Anti-Malware 1.42

Database version: 3449

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

 

12/29/2009 12:03:47 AM

mbam-log-2009-12-29 (00-03-47).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 215919

Time elapsed: 41 minute(s), 1 second(s)

 

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

 

Memory Processes Infected:

C:\Documents and Settings\mpacione\Local Settings\Temp\g7im65sxk.exe (Trojan.Downloader) -> Unloaded process successfully.

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygua8e7yhuiesfha876yfauy8fe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\mpacione\Local Settings\Temp\g7im65sxk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sofxlipg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gyps4myau.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\obpfn.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\483030048.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\560541504.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\win16.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\mpacione\Local Settings\Temp\user.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Hi,

 

Update your Sun Java, because previous versions are vulnerable:

Updating Java:

  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: javaicon.gif
    Select it and click Remove.
  • Then Download and install the newest version from here:

    http://www.java.com/en/download/manual.jsp

Can you run another scan with Malwarebytes again, this to see if it was able to deal with all it could find.

Share this post


Link to post
Share on other sites

Thanks - this all seemed to work - still some things showing that I'm not sure of, i.e.:

 

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

...these seem to keep coming up as infected...will the Java update you had me do take care of this?

 

- please let me know if you still see something needing attention - should I still complete yet one more Malware Bytes scan? How do I know for sure that the system is completely clean? Please find below the latest HJT log and Malware Bytes log - again, thanks for your help!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:27 PM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Acer soft button\wsbklite.exe

C:\Program Files\Acer soft button\SB.exe

C:\Program Files\Acer\Notebook Manager\almxptray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stpaulsacademy.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://download.microsoft.com/download/0/a/9/0a9587bc-2dc5-420e-89e0-f74d8b75b128/setup.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"

O4 - HKLM\..\Run: [software Button] "C:\Program Files\Acer soft button\SB.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [strgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=41103&sessionid=1285230867_69.25.47.35_53060&=&req=1159364936347OneCC.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://studentsachieve.webex.com/client/T22L/webex/ieatgpc.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crcs.ad

O17 - HKLM\Software\..\Telephony: DomainName = crcs.ad

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crcs.ad

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINDOWS\Pointdev\VNC\WinVNC.exe

 

--

End of file - 8663 bytes

 

*****************************

 

Malwarebytes' Anti-Malware 1.42

Database version: 3449

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

 

12/29/2009 10:49:42 PM

mbam-log-2009-12-29 (22-49-42).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 198827

Time elapsed: 32 minute(s), 33 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

 

 

Hi,

 

Update your Sun Java, because previous versions are vulnerable:

Updating Java:

  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: javaicon.gif
    Select it and click Remove.
  • Then Download and install the newest version from here:

    http://www.java.com/en/download/manual.jsp

Can you run another scan with Malwarebytes again, this to see if it was able to deal with all it could find.

Share this post


Link to post
Share on other sites

Impatient...instead of waiting for your reply, I went ahead and did another Malware Bytes scan and here is the log...again, these same 2 keep coming up even after a reboot - should I be concerned with these or are they normally showing up as infected and perhaps they are required files?

 

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

 

Malwarebytes' Anti-Malware 1.42

Database version: 3449

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

 

12/29/2009 11:36:56 PM

mbam-log-2009-12-29 (23-36-56).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 198776

Time elapsed: 31 minute(s), 49 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

 

Thanks - this all seemed to work - still some things showing that I'm not sure of, i.e.:

 

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

...these seem to keep coming up as infected...will the Java update you had me do take care of this?

 

- please let me know if you still see something needing attention - should I still complete yet one more Malware Bytes scan? How do I know for sure that the system is completely clean? Please find below the latest HJT log and Malware Bytes log - again, thanks for your help!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:27 PM, on 12/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Acer soft button\wsbklite.exe

C:\Program Files\Acer soft button\SB.exe

C:\Program Files\Acer\Notebook Manager\almxptray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stpaulsacademy.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://download.microsoft.com/download/0/a/9/0a9587bc-2dc5-420e-89e0-f74d8b75b128/setup.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe

O4 - HKLM\..\Run: [Wise Backlight] "C:\Program Files\Acer soft button\wsbklite.exe"

O4 - HKLM\..\Run: [software Button] "C:\Program Files\Acer soft button\SB.exe"

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [strgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETWORK SERVICE')

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=41103&sessionid=1285230867_69.25.47.35_53060&=&req=1159364936347OneCC.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://studentsachieve.webex.com/client/T22L/webex/ieatgpc.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_9/PCAXSetupv2.0.0.9.cab?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crcs.ad

O17 - HKLM\Software\..\Telephony: DomainName = crcs.ad

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crcs.ad

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\WINDOWS\Pointdev\VNC\WinVNC.exe

 

--

End of file - 8663 bytes

 

*****************************

 

Malwarebytes' Anti-Malware 1.42

Database version: 3449

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

 

12/29/2009 10:49:42 PM

mbam-log-2009-12-29 (22-49-42).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 198827

Time elapsed: 32 minute(s), 33 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

 

 

 

Hi,

 

Update your Sun Java, because previous versions are vulnerable:

Updating Java:

  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: javaicon.gif
    Select it and click Remove.
  • Then Download and install the newest version from here:

    http://www.java.com/en/download/manual.jsp

Can you run another scan with Malwarebytes again, this to see if it was able to deal with all it could find.

Share this post


Link to post
Share on other sites

Hi,

 

* Please visit this webpage for instructions for downloading and running ComboFix:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Post the log from ComboFix in your next reply.

 

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Share this post


Link to post
Share on other sites

Thanks, combofix seemed to work properly - please see log below and let me know the next step.

 

ComboFix 09-12-29.05 - MPacione 12/30/2009 8:15.1.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT -7:00]

Running from: c:\documents and settings\mpacione\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\s

c:\windows\EventSystem.log

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\system32\flags.ini

c:\windows\system32\kbdsock.dll

c:\windows\system32\uses32.dat

 

.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))

.

 

2009-12-30 05:09 . 2009-12-30 05:09 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-30 05:09 . 2009-12-30 05:09 -------- d-----w- c:\program files\Java

2009-12-27 06:54 . 2009-12-27 06:54 -------- d-----w- c:\documents and settings\mpacione\Application Data\Malwarebytes

2009-12-27 06:54 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-27 06:54 . 2009-12-27 06:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-27 06:54 . 2009-12-27 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-27 06:54 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-27 05:35 . 2009-12-27 05:35 -------- d-----w- C:\HijackThis

2009-12-26 16:44 . 2009-12-26 16:44 -------- d-----w- c:\documents and settings\mpacione\Application Data\AVG8

2009-12-26 13:43 . 2009-12-26 13:43 -------- d-----w- c:\documents and settings\mpacione\Local Settings\Application Data\shsxie

2009-12-26 12:03 . 2009-12-26 12:03 -------- d-----w- c:\program files\uTorrent

2009-12-26 11:59 . 2009-12-26 11:59 -------- d-----w- c:\documents and settings\mpacione\Application Data\uTorrent

2009-12-02 01:37 . 2009-12-02 01:37 -------- d-----w- c:\documents and settings\mpacione\Tracing

2009-12-02 01:36 . 2009-12-02 01:36 -------- d-----w- c:\program files\Microsoft

2009-12-02 01:36 . 2009-12-02 01:36 -------- d-----w- c:\program files\Windows Live SkyDrive

2009-12-02 01:33 . 2009-12-02 01:33 -------- d-----w- c:\program files\Common Files\Windows Live

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-30 05:08 . 2009-12-30 05:08 152576 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-30 05:08 . 2009-12-30 05:08 79488 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-20 22:47 . 2009-12-20 22:45 1956072 ----a-w- c:\documents and settings\mpacione\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2009-12-12 18:15 . 2009-12-12 18:15 86016 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\4\3c09a084-441b1fc2-n\IeEmbed.exe

2009-12-12 18:15 . 2009-12-12 18:15 173200 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\4\3c09a084-441b1fc2-n\nspr4.dll

2009-12-12 18:15 . 2009-12-12 18:15 118784 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\4\3c09a084-441b1fc2-n\jdic.dll

2009-12-12 18:15 . 2009-12-12 18:15 74752 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\36\1aa1cf64-6d0f2762-n\JINECELP.dll

2009-12-12 18:15 . 2009-12-12 18:15 65024 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\36\1aa1cf64-6d0f2762-n\JIWAudio.dll

2009-12-12 18:15 . 2009-12-12 18:15 63488 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\36\1aa1cf64-6d0f2762-n\JIWMixer.dll

2009-12-12 18:15 . 2009-12-12 18:15 65536 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\45\2c92f3ad-461300d3-n\ICE_JNIRegistry.dll

2009-12-12 18:15 . 2009-12-12 18:15 57344 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\45\2c92f3ad-461300d3-n\WinHotKey.dll

2009-12-12 18:02 . 2009-12-12 18:02 98816 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\48\57997eb0-10740b04-n\WinVideo.dll

2009-12-12 18:02 . 2009-12-12 18:02 74240 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\2\44bb39c2-3e6bbf15-n\JINECELP.dll

2009-12-12 18:02 . 2009-12-12 18:02 73216 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\2\44bb39c2-3e6bbf15-n\JIWAudio.dll

2009-12-12 18:02 . 2009-12-12 18:02 66048 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\2\44bb39c2-3e6bbf15-n\JIWMixer.dll

2009-12-12 18:02 . 2009-12-12 18:02 65536 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\8\a41e508-1aec8fdd-n\ICE_JNIRegistry.dll

2009-12-12 18:02 . 2009-12-12 18:02 60928 ----a-w- c:\documents and settings\mpacione\Application Data\Sun\Java\Deployment\cache\6.0\8\a41e508-1aec8fdd-n\WinPlatform.dll

2009-12-02 01:37 . 2005-04-29 13:29 104432 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-19 01:04 . 2009-11-19 01:04 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-11-19 01:02 . 2009-11-19 01:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-11-19 01:02 . 2009-11-19 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-11-17 15:02 . 2004-11-25 19:11 94291 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-10-29 07:47 . 1980-01-01 07:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 1980-01-01 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 1980-01-01 07:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-21 05:38 . 1980-01-01 07:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 1980-01-01 07:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30 . 1980-01-01 07:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 1980-01-01 07:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 1980-01-01 07:00 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-10 07:07 . 2009-11-19 01:05 38208 ----a-w- c:\documents and settings\mpacione\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2007-04-07 15:33 . 2006-01-26 17:59 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2006-01-26 17:59 . 2006-01-26 17:59 56 --sh--r- c:\windows\system32\1040663765.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-28 299008]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]

"Wise Backlight"="c:\program files\Acer soft button\wsbklite.exe" [2004-11-22 106496]

"Software Button"="c:\program files\Acer soft button\SB.exe" [2004-11-22 4190208]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"AcerNotebookManager"="c:\program files\Acer\Notebook Manager\almxptray.exe" [2003-08-19 509952]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-29 98304]

"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2003-05-20 45108]

"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2003-05-20 36864]

"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 88107]

"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

R1 sbdrv;sbdrv;c:\windows\system32\drivers\SBDRV.sys [11/26/2004 10:12 AM 3302]

R1 wsbklite;wsbklite;c:\windows\system32\drivers\WSBKLITE.sys [11/26/2004 10:12 AM 3351]

R2 acernbm;acernbm;c:\windows\system32\drivers\acernbm.sys [11/26/2004 10:36 AM 6431]

R2 ipasintf;ipasintf;c:\windows\system32\drivers\pas2k.sys [11/26/2004 4:41 PM 78280]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]

R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [11/25/2004 12:03 PM 14208]

S1 mailKmd;mailKmd; [x]

S3 flash;flash;c:\windows\system32\drivers\flash.sys [5/4/2006 9:11 AM 7040]

S3 P1171VID;Creative WebCam Notebook #2;c:\windows\system32\drivers\P1171Vid.sys [12/30/2006 11:34 PM 91392]

S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [11/26/2004 10:12 AM 2343]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - EraserUtilDrvI9

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.stpaulsacademy.ca/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=41103&sessionid=1285230867_69.25.47.35_53060&=&req=1159364936347OneCC.cab

.

- - - - ORPHANS REMOVED - - - -

 

AddRemove-HijackThis - E:\HijackThis.exe

AddRemove-Macromedia Shockwave Player - c:\windows\system32\MACROMED\SHOCKW~1\UNWISE.EXE

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-30 08:23

Windows 5.1.2600 Service Pack 3 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(2668)

c:\windows\system32\WININET.dll

c:\program files\Acer soft button\wsbklite.dll

c:\windows\system32\ieframe.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\system32\msiexec.exe

c:\windows\System32\tabbtnu.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\windows\AGRSMMSG.exe

c:\program files\Symantec AntiVirus\DoScan.exe

c:\program files\Microsoft ActiveSync\Wcescomm.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

.

**************************************************************************

.

Completion time: 2009-12-30 08:28:08 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-30 15:28

 

Pre-Run: 19,648,217,088 bytes free

Post-Run: 20,471,054,336 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Tablet PC Edition" /fastdetect

 

- - End Of File - - 453EE39BA9D3E897D68EAFA218E21299

Share this post


Link to post
Share on other sites

Hi,

 

This looks OK again.

 

* Go to start > run and copy and paste next command in the field:

 

ComboFix /Uninstall

 

Make sure there's a space between Combofix and /

Then hit enter.

 

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

 

Let me know in your next reply how things are now.

Share this post


Link to post
Share on other sites

Looks like everything is clear - I ran a Malware Bytes scan again after uninstalling combofix and it came up with 0 infected files.

 

From your experience, does this mean I can have confidence that my system is completely clean? Just want to know if Malware Bytes would be showing if there were any other malicious files hidden...i.e. is the program very reliable that if it is saying 0 infected files, the job is finished?

 

And one more question...do you recommend that a person scan their system with Malware Bytes every few weeks even when a system appears to be fine? It seems to me after this experience that it would be a good idea but interested to know your thoughts on this.

 

Thanks so much for your help!

Share this post


Link to post
Share on other sites

Hi,

 

You should be OK here.

Yes, I recommend to scan with Malwarebytes once in a while, just as a doublecheck. Also, make sure you always update mbam before you scan with it.

 

Also...

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since the issue appears to be resolved this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0