GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


MalwareBytes won't fully delete MalwareDefense

2 posters

descriptionMalwareBytes won't fully delete MalwareDefense EmptyMalwareBytes won't fully delete MalwareDefense30th January 2010, 5:22 pm

more_horiz
I had this malware for a week and it still hasn't gone away, the same infected files keep showing up in the same place after I deleted it. My MalwareBytes up to date too, and here's the scan of the files being detected -.-

Malwarebytes' Anti-Malware 1.44
Database version: 3660
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/30/2010 12:07:48 PM
mbam-log-2010-01-30 (12-07-48).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 204609
Time elapsed: 24 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Delete on reboot.

_____________________________

Here's my Hijackthis Scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:00 PM, on 1/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\32788R22FWJFW\cmd.cfxxe
C:\32788R22FWJFW\pev.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14196&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PlaySushi - {21608B66-026F-4DCB-9244-0DACA328DCED} - C:\Program Files\PlaySushi\PSText.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: (no name) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Go PlaySushi! - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - C:\Program Files\PlaySushi\PSText.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoogleDesktopManager - Unknown owner - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: npkcmsvc - CACE Technologies - (no file)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - (no file)
O23 - Service: STOPzilla Service (szserver) - iS3 Inc. - (no file)
O23 - Service: Yahoo! Updater (YahooAUService) - Unknown owner - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (file missing)

--
End of file - 8751 bytes


_____________________

Also here's my Combofix log

ComboFix 10-01-29.09 - Chad 01/30/2010 13:49:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.132 [GMT -5:00]
Running from: c:\documents and settings\Chad\Desktop\combofix\Lol.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\h8srtmainqt.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\program files\PlaySushi\PSTExt.dll
c:\recycler\S-1-5-21-661479487-3824757666-3447383984-1003
c:\windows\system32\drivers\H8SRTduxdlxwbiq.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\H8SRTgqcmuwcvyx.dll
c:\windows\system32\H8SRTlrqubrjhjy.dll
c:\windows\system32\H8SRTmupfitjngf.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTtiquakomlm.dat
c:\windows\system32\H8SRTxoetbtmovr.dll
c:\windows\system32\logs.dat
c:\windows\system32\NqqXIkkj.ini
c:\windows\system32\NqqXIkkj.ini2
c:\windows\system32\Packet.dll
c:\windows\system32\plugin.dat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\regedit.exe
c:\windows\system32\SIntf16.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\web.dat
c:\windows\system32\websites.html
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Legacy_RKHIT
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-30 18:27 . 2008-04-14 00:12 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-01-30 18:27 . 2008-04-14 00:12 146432 ----a-w- c:\windows\regedit.exe
2010-01-30 18:26 . 2010-01-30 18:27 -------- dc----w- C:\Lol11027L
2010-01-30 18:14 . 2008-04-14 00:12 146432 ----a-w- c:\windows\system\regedit.exe
2010-01-30 18:13 . 2010-01-30 18:14 -------- dc----w- C:\Lol
2010-01-30 18:03 . 2010-01-30 17:53 389120 ----a-w- c:\windows\system32\CF28379.exe
2010-01-30 17:53 . 2010-01-30 17:54 -------- dc----w- C:\32788R22FWJFW.2.tmp
2010-01-30 17:53 . 2010-01-30 17:53 -------- dc----w- C:\32788R22FWJFW.1.tmp
2010-01-30 17:45 . 2010-01-30 17:45 -------- d-----w- c:\program files\Trend Micro
2010-01-30 17:12 . 2010-01-30 17:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-01-30 07:07 . 2010-01-30 07:07 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-30 07:05 . 2010-01-30 07:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-30 07:05 . 2010-01-30 07:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-28 01:02 . 2010-01-28 01:02 -------- d-----w- c:\windows\XSxS
2010-01-28 01:02 . 2010-01-28 01:02 -------- d-----w- c:\program files\Xenocode
2010-01-26 22:38 . 2010-01-26 22:38 -------- d-sh--w- c:\documents and settings\Chad\PrivacIE
2010-01-26 01:20 . 2010-01-30 06:12 -------- d-----w- c:\documents and settings\Chad\Application Data\FrostWire
2010-01-26 01:18 . 2010-01-26 01:20 -------- d-----w- c:\program files\FrostWire
2010-01-25 23:00 . 2010-01-25 23:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-25 23:00 . 2010-01-25 23:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-25 23:00 . 2010-01-25 23:00 -------- d-----w- c:\program files\Symantec
2010-01-25 22:58 . 2010-01-25 22:58 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-25 22:58 . 2010-01-25 22:58 -------- d-----w- c:\program files\Windows Sidebar
2010-01-25 22:58 . 2010-01-25 22:58 -------- d-----w- c:\program files\Norton AntiVirus
2010-01-25 22:57 . 2010-01-25 22:57 -------- d-----w- c:\program files\NortonInstaller
2010-01-25 20:58 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 20:58 . 2010-01-25 21:13 -------- d-----w- c:\program files\NBA
2010-01-25 20:58 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 20:34 . 2010-01-26 22:34 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-25 04:05 . 2010-01-25 04:05 -------- dc----w- C:\Temp
2010-01-25 01:45 . 2010-01-25 01:45 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\IsolatedStorage
2010-01-25 01:45 . 2010-01-25 01:45 61408 ----a-w- c:\documents and settings\Chad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 01:37 . 2010-01-25 01:37 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\MigWiz
2010-01-25 01:17 . 2010-01-25 01:17 -------- d-----w- c:\windows\system32\vmm32
2010-01-25 01:17 . 2010-01-25 01:17 -------- d-----w- c:\program files\Dell
2010-01-24 22:09 . 2010-01-24 22:09 -------- d-----w- c:\program files\Datel
2010-01-24 21:38 . 2010-01-24 21:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-24 21:05 . 2010-01-24 21:05 -------- d-----w- c:\documents and settings\Chad\Application Data\AVG8
2010-01-24 21:00 . 2010-01-24 21:00 -------- d-----w- c:\documents and settings\Chad\Application Data\Datel
2010-01-24 20:39 . 2010-01-24 20:39 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\Help
2010-01-24 20:37 . 2010-01-24 20:37 -------- d-----w- c:\documents and settings\Chad\Local Settings\Application Data\Mozilla
2010-01-24 20:27 . 2010-01-24 20:27 -------- d-----w- c:\documents and settings\Chad\Application Data\Malwarebytes
2010-01-24 18:45 . 2010-01-24 18:45 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-24 18:45 . 2010-01-24 18:45 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-24 18:45 . 2010-01-24 18:45 -------- d-----w- c:\program files\AVG
2010-01-24 18:44 . 2010-01-25 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-24 09:50 . 2010-01-24 16:20 -------- d-----w- c:\program files\RegCure
2010-01-24 09:23 . 2010-01-24 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\XHEO INC
2010-01-24 03:14 . 2010-01-24 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-21 00:06 . 2010-01-24 03:38 -------- d-----w- c:\program files\Wookie's MW2 AIO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 18:57 . 2009-12-06 05:26 -------- d-----w- c:\program files\PlaySushi
2010-01-30 17:51 . 2008-10-05 19:56 -------- d-----w- c:\program files\PowerArchiver
2010-01-27 00:30 . 2009-08-12 22:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-26 01:27 . 2010-01-26 01:27 0 ----a-w- c:\documents and settings\Chad\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-01-25 23:07 . 2009-07-30 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-25 23:00 . 2010-01-25 23:00 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-25 23:00 . 2010-01-25 23:00 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-25 22:58 . 2009-07-30 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-25 22:27 . 2008-09-07 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 22:08 . 2007-10-12 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 20:59 . 2007-10-11 22:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-25 01:17 . 2010-01-25 01:17 45056 ----a-r- c:\documents and settings\Chad\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-01-25 01:17 . 2010-01-25 01:17 10134 ----a-r- c:\documents and settings\Chad\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2010-01-24 20:05 . 2007-10-17 20:45 -------- d-----w- c:\program files\Yahoo!
2010-01-24 19:59 . 2010-01-24 19:59 -------- d-----w- c:\documents and settings\Chad\Application Data\Yahoo!
2010-01-24 19:04 . 2009-05-30 19:26 -------- d-----w- c:\program files\DNA
2009-12-21 22:18 . 2009-12-21 22:14 -------- d-----w- c:\program files\Windows Live
2009-12-21 22:15 . 2009-12-21 22:15 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-21 22:08 . 2009-12-21 22:08 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-16 19:42 . 2010-01-30 17:25 872960 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faj30e08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2010-01-25 21:00 872960 ----a-w- c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 19:42 . 2010-01-30 17:25 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faj30e08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2010-01-25 21:00 43008 ----a-w- c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 19:42 . 2010-01-30 17:25 340480 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faj30e08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:42 . 2010-01-25 21:00 340480 ----a-w- c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 19:41 . 2010-01-30 17:25 346624 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\faj30e08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 19:41 . 2010-01-25 21:00 346624 ----a-w- c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-15 23:57 . 2009-12-15 23:57 -------- d-----w- c:\program files\directx
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-----w- c:\program files\MANUALS
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-----w- c:\program files\HELP
2009-12-15 23:49 . 2009-12-15 23:49 -------- d-----w- c:\program files\DIRECTX7
2009-11-11 15:15 . 2010-01-30 07:04 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-11 15:15 . 2010-01-24 19:59 38208 ----a-w- c:\documents and settings\Chad\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-10 19:39 . 2009-11-18 21:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2006-01-02 22:01 . 2008-11-30 17:37 53248 ----a-w- c:\program files\mozilla firefox\components\GigagetComponent.dll
2009-03-11 22:20 . 2009-03-11 22:20 208384 ----a-w- c:\program files\mozilla firefox\plugins\uc_rohan_launching.dll
2009-01-28 21:49 . 2009-01-28 21:49 62976 ----a-w- c:\program files\mozilla firefox\plugins\uc_sfighters_launching.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]

c:\documents and settings\Chad\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]

[HKLM\~\startupfolder\c:^documents and settings^xain^start menu^programs^startup^frostwire on startup.lnk]
backup=c:\windows\pss\FrostWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Xain^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\fscagent.exe"=
"c:\\WINDOWS\\system32\\clubbox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18479:TCP"= 18479:TCP:SolidNetworkManager
"18479:UDP"= 18479:UDP:SolidNetworkManager
"56643:TCP"= 56643:TCP:SolidNetworkManager
"56643:UDP"= 56643:UDP:SolidNetworkManager
"20215:TCP"= 20215:TCP:SolidNetworkManager
"20215:UDP"= 20215:UDP:SolidNetworkManager
"28286:TCP"= 28286:TCP:SolidNetworkManager
"28286:UDP"= 28286:UDP:SolidNetworkManager
"57864:TCP"= 57864:TCP:Pando Media Booster
"57864:UDP"= 57864:UDP:Pando Media Booster
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"58959:TCP"= 58959:TCP:Pando Media Booster
"58959:UDP"= 58959:UDP:Pando Media Booster

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1100000.088\SymDS.sys [1/25/2010 5:59 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1100000.088\SymEFA.sys [1/25/2010 5:59 PM 169008]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [12/2/2008 3:20 PM 54656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx86.sys [1/25/2010 5:59 PM 506928]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1100000.088\ccHPx86.sys [1/25/2010 5:59 PM 501888]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [7/29/2009 3:41 AM 3026]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1100000.088\Ironx86.sys [1/25/2010 5:59 PM 114736]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe [1/25/2010 5:58 PM 126392]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSxpx86.sys [1/25/2010 5:59 PM 329080]
S1 c65eaf80;c65eaf80;c:\windows\system32\drivers\c65eaf80.sys [1/8/2009 4:54 AM 0]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate1c9bed755ebd868;Google Update Service (gupdate1c9bed755ebd868); [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/24/2010 1:45 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/24/2010 1:45 PM 30104]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [10/11/2007 5:41 PM 69692]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Xaein\LOCALS~1\Temp\PVIF2.tmp --> c:\docume~1\Xaein\LOCALS~1\Temp\PVIF2.tmp [?]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 00:20]

2010-01-24 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\PlaySushi\PSText.dll
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\
FF - component: c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\0ggfepas.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\components\GigagetComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Xaein\LOCALS~1\Temp\PVIF2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
.
**************************************************************************
.
Completion time: 2010-01-30 14:07:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 19:07

Pre-Run: 102,761,234,432 bytes free
Post-Run: 102,862,614,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B1050B058083A964E3CF5C220440DB48

Last edited by DarkerLife on 30th January 2010, 7:09 pm; edited 7 times in total

descriptionMalwareBytes won't fully delete MalwareDefense EmptyRe: MalwareBytes won't fully delete MalwareDefense30th January 2010, 7:09 pm

more_horiz
Can someone lock this since I fixed mine already by myself >.>

descriptionMalwareBytes won't fully delete MalwareDefense EmptyRe: MalwareBytes won't fully delete MalwareDefense30th January 2010, 7:21 pm

more_horiz
Hello.

I see that you are running Frostwire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    BitTorrent
    Frostwire

Next,

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\drivers\c65eaf80.sys

    FileLook::
    c:\windows\system32\dllcache\regedit.exe
    c:\windows\regedit.exe
    c:\windows\system\regedit.exe

    Folder::
    c:\documents and settings\Chad\Application Data\FrostWire
    c:\program files\FrostWire

    Driver::
    c65eaf80
    Viewpoint Manager Service
    GarenaPEngine

    DDS::
    uStart Page = hxxp://www.ask.com?o=14196&l=dis

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    MalwareBytes won't fully delete MalwareDefense Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMalwareBytes won't fully delete MalwareDefense EmptyRe: MalwareBytes won't fully delete MalwareDefense

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum