WiredWX Hobby Weather ToolsLog in

 


descriptionSystem Antivirus Pro 2009 EmptySystem Antivirus Pro 2009

more_horiz
Hey. I saw this up, but I also read int he newbie thing, that I'm not supposed to post on his topic, and I don't want any trouble, haha.

So yeah, as I've stated, I have a "rogue antivirus software" on my computer, and I'm posting a HijackThis log now. ** It hasn't been doing anything lately (The System Pro Virus) But I've also been Using Mbam frequently, but I know it won't "fix" it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:59 PM, on 11/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3507
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=W3507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://grandchase.ntreev.net/account/signup.aspx
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5B901C4C-0D73-4BCE-8DEB-19A2DEA3B52B} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NCsoft Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: GamersFirst LIVE!.lnk = C:\Program Files\GamersFirst\LIVE!\Live.exe
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\FAMILY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfcbyx - khfcbyx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7413 bytes


I would also Like to point out, if It matters, that this particular infection, is a trojan.zlob, and it has carried a few vundos. I've heard from friends, that Zlob's are pretty dangerous, and IF possible, would like some tips on anything else I should do.

Please And Thanks,
--Fido

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {5B901C4C-0D73-4BCE-8DEB-19A2DEA3B52B} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O20 - Winlogon Notify: khfcbyx - khfcbyx.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/10/2009 8:40:55 PM
mbam-log-2009-11-10 (20-40-55).txt

Scan type: Quick Scan
Objects scanned: 144354
Time elapsed: 15 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
lease re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Yeah, I started after I realized what version I had. <.<' Sorry man.

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Still feel like an Idiot, but here's the new and updated one. 31 infected files. Yowzers. xD


Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 2

11/10/2009 8:58:12 PM
mbam-log-2009-11-10 (20-58-12).txt

Scan type: Quick Scan
Objects scanned: 155845
Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\27rNnnBev.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ow8oxUZs.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ANTFgyGDhshx.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqAqKgrT9h.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fsd84gQZT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fTY4KLZyHLT1.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IeeLPvDFpWubT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jcfx7C3Px.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KUXSfgy4hKie.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\l1tcIC6gT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MsVZWvDum.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\V39nhi6eCXv.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vWSwfq1wP65.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vXkUF3SCn.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lK7YD7wmxL.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xqDS2dWsO.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YqYT4cQ7.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ZyLs8jNJ.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tqdTYWa.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3n8APWl.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7npfZy7mhcX.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9hCLVLZV.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9LPioTGLldyE.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9WH6P4ji.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UiCGfWs7PTrH.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EkJD1LAa.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> Quarantined and deleted successfully.


I'm Restarting my PC now.

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Hello.
Bad news, a false positive in MBAM is causing major problems for a lot of people right now, and you've been caught by this problem too.

Sadly your machine wont boot anymore, do you have your XP disc?

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
*Sigh* No, I do not. I have a Windows 98 disk, and some serials, but apparently it's a burnt cd, and I've no clue how i got it, or whether or not it will work.

Is this partially my fault? Like, if I didn't Quar and delete those files, would I have had this problem?

Also, I have Mbam on THIS computer, should I delete it?

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
Hello.
No, not your fault, a slight error in MBAM, see here:
http://www.malwarebytes.org/forums/index.php?showtopic=30371&st=0&p=156300&#entry156300

We can try a system restore, hopefully there is a restore point in there somewhere.

Do you have another machine (the machine your using now?) that can write to CD's? usually Windows let you do a drag-and-drop to burn CD's, we can try and use the ultimate boot CD's as other have on the MBAM forums.

descriptionSystem Antivirus Pro 2009 EmptyRe: System Antivirus Pro 2009

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum