Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think im infected


  • This topic is locked This topic is locked
10 replies to this topic

#1 jbowman123

jbowman123

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 23 August 2009 - 06:05 PM

when i download some programs i cant install them. i keep being told they are not valid win 32 applications.

my other problem is i cant install kaspersky 2009 to my computer. kaspersky sent me here to try to investigate the problem. well they suggested that i try combofix to help clear up my computer. i read the instructions for combofix and it suggested that i get help from an expert.

my computer has other problems as well that i would like to get fixed. I'm not a beginner when it comes to computers but this time i need a true experts help. i hope i have posted to the right forum. if i haven't please direct me to the right place.


thanks

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 26 August 2009 - 03:57 PM

Hi,

I am sorry for the delay in posting to you. We have a large community, with hundreds of topics being created every day.

Do you still need help with your problem?

- If not, please tell me also.

- If so, please tell me what problems you have exactly at the moment. Also, do this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

#3 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 August 2009 - 06:32 AM

thank you for your response. i have ran mbam and this is the log i have gotten
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/24/2009 5:20:01 PM
mbam-log-2009-08-24 (17-19-47).txt

Scan type: Quick Scan
Objects scanned: 95860
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e26ef07c-069f-43cd-97e5-44e06a42824d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e26ef07c-069f-43cd-97e5-44e06a42824d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e26ef07c-069f-43cd-97e5-44e06a42824d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.115,85.255.112.205 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> No action taken.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 27 August 2009 - 02:53 PM

Hi,

Please delete everything. Your log shows you didn't.
Please run a new, full scan, and delete everything that MBAM finds. Post that log in your next reply. :thumbsup:

#5 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 29 August 2009 - 07:23 AM

sorry i havent posted sooner its been a hectic few days. besides not being able to install and activate kaspersky antivirus i have a couple other prolems i hope u can help me with.
first i cant see my hdd in disk manager, and sometimes when i download software i get the "not a vlid win32 application" message, i dont get htese musch but sometimes. i ran a full scan with mbam and the log is here:


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/29/2009 8:06:28 AM
mbam-log-2009-08-29 (08-06-28).txt

Scan type: Full Scan (C:\|E:\|X:\|Z:\|)
Objects scanned: 423403
Time elapsed: 2 hour(s), 19 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\us\Desktop\Unused Desktop Shortcuts\unused desktop\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\john\My Documents\Downloads\Adobe CS4 Master Collection - Shadeyman\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\john\My Documents\Downloads\Adobe Dreamweaver CS4\Adobe CS4 Activation Patch\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
X:\New Folder\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.


that msivxcount file i cannot find it or remove it. i have checked in the system32 folder and couldnt find it there. i even clicked folder options, view, and unchecked show system files and all hidden files, but still couldnt find it


i have a;so ram a program called rootrepeal, if you need those logs i can post them next time.

superbird thank you for your time and patience in helping me. i appreciate it very much.

i have previously had both avg8.5free and norman virus control installed on my computer before. i believe ive gotten rid of the avg but i thought i stioll seen remnants of norman in the system 32 files when mbam was running. dont know if that is why kaspersky wont let me activate or not.
again thank you

Edited by jbowman123, 29 August 2009 - 07:31 AM.


#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 29 August 2009 - 10:04 AM

Hi,

Well, in that case please post the logs from RootRepeal. Were they made after the last scan with MBAM?

Also, please tell me which A/V program you want to keep. Kaspersky?
Which A/V program do you still have installed?

#7 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 29 August 2009 - 03:56 PM

hey

as far as a/v i want kaspersky. i installed norman, then i thought uninstalled all of it , then i installed avg8.5 and again uninstalled that one. i wasnt happy with either of those programs. i read on th enet that avg caused too many problems with the computer so i deleted it. i used a program that kaspersky recommended and it seemed to remove avg, but i think that norman still has files on my hard drive. when i was scanning with mbam i thought i saw some files that looked like the belonged to norman. but anyway i just ran another scan with rootrepeal. i scanned files, processes, ssdt and hidden services. the log report is below:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 16:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2604000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB6211000 Size: 8192 File Visible: No Signed: -
Status: -

Name: MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Address: 0xB53A8000 Size: 184320 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rftr.sys
Image Path: rftr.sys
Address: 0xF75F7000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAFD71000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Avenger\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-1596
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-1614
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-2447
Status: Invisible to the Windows API!

Path: C:\Avenger\MSIVXcount-ren-389
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXnoqgqruhmikpiofoylbetwqmbirquvxt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXyuwlgmetqlmhvvagfingdyjdfrlqpsxw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys
Status: Invisible to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b81a

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bdc6

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d82a

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d1e0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586af90

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f18c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bbc2

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b3d2

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b5d2

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d4ec

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f698

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b6e8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b750

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d3a2

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ec50

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d03c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b0f2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b9e8

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f1b6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b93e

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b7b8

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b4bc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b29a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eeb8

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ac12

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586e0b4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ad74

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f568

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586aa10

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586d6cc

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bcc0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ed4a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f1e0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586b148

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f2c4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586f3f0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586eb7c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586ba92

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb586bb04

Hidden Services
-------------------
Service Name: MSIVXserv.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXtoijeyxmlxbqujdlgdtonbohhcmjkvxj.sys

==EOF==


i hope this helps diagnose my problems and again thanks for all ur help so far :thumbsup:

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 August 2009 - 12:03 PM

Hi,

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Please give them a link to this topic.

Good luck. :thumbsup:

#9 jbowman123

jbowman123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 30 August 2009 - 12:49 PM

thank you for all your help

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 August 2009 - 01:09 PM

You're most welcome. :thumbsup:

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 31 August 2009 - 11:35 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/253705/malware-msivxcount/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users