Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown problem - can't install malwarebytes


  • This topic is locked This topic is locked
3 replies to this topic

#1 ghen

ghen

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 12 January 2010 - 11:17 AM

Hello, this is my first time posting on bleepingcomputer. I work in IT and I've previously always been able to clean computers, but this one has stumped me. I noticed there was a problem first because of the random advertisment pop-ups when online. Also, malwarebytes will not install. the mbam.exe file gets deleted and copying in a renamed .exe from another computer with the same updates would not run. I traced it to an 8 character dll that seems to be randomly generated. Every program I've tried so far has been unable to clean the problem.

I've tried:
malwarebytes
counterspy
vipre rescue
spyware doctor
anti-rootkit from Panda software
rootkit repeal (would not run, frozen using up 2gb of virtual memory)
x-ray PC
hijack this

Known good:
192.110.112.x - my internal network (strange, I know)
anything related to ADP - my dealer management software - adp.com
Symantec Endpoint anti-virus - the only permanent anti-software on the computer


Here is my DDS log:
CODE
DDS (Ver_09-12-01.01) - NTFSx86  
Run by Administrator at 11:05:11.70 on Tue 01/12/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1007.632 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)   {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [sapemeked] Rundll32.exe "c:\windows\system32\wayebomi.dll",a
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Trusted Zone: adp.com\*.ds
Trusted Zone: adpremotesupport.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {00906302-0F14-442C-B39C-275F61BC25BC} - hxxp://192.110.112.1/apps/autoTools/sda/common/atSdaCfg.CAB
DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxp://192.110.112.1/global/sda/tgctlins.cab
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxp://www.gmdealerpulse.com/download/CfxIEAx.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} - file://d:\autorun\PC-CONFIG-CHECK.CAB
DPF: {73A8D51E-578B-4E4E-8FF8-112E51DBFBE3} - hxxp://caf.oeconnection.com/ActiveX/DMSISM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38055.6812268519
DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://gm-recordings.webex.com/client/T25L10NSP41EP13-LOCKDOWN/webex/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {A9E00E11-0338-42C4-B5FA-1ED47A87890E} = 192.110.112.95
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: videpado.dll c:\windows\system32\wayebomi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yunenifav - {f86a1c4e-1563-4d6e-8e3a-0d37e5bfe54e} - c:\windows\system32\wayebomi.dll
STS: kupuhivus: {f86a1c4e-1563-4d6e-8e3a-0d37e5bfe54e} - c:\windows\system32\wayebomi.dll
LSA: Notification Packages = scecli lemirifo.dll
Hosts: 192.110.112.1 sda.ds.adp.com
Hosts: 192.110.112.1    smartAgent.ds.adp.com

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100108.002\NAVENG.SYS [2010-1-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100108.002\NAVEX15.SYS [2010-1-8 1323568]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 rootkitrepealer;rootkitrepealer;\??\c:\windows\system32\drivers\rootkitrepealer.sys --> c:\windows\system32\drivers\rootkitrepealer.sys [?]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-6 108392]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-6 108392]
S4 gupdate1c9d49117a426b0;Google Update Service (gupdate1c9d49117a426b0);c:\program files\google\update\GoogleUpdate.exe [2009-5-14 133104]
S4 SITomcat;SI Tomcat;c:\program files\gm spo\esi\apache group\tomcat 4.1\bin\tomcat.exe [2005-3-10 65536]
S4 SITransbase;SI Transbase;c:\program files\gm spo\esi\transbase\tbmux32.exe [2005-3-10 165376]
S4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-1-6 2189240]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-01-11 20:18:17    0    d-----w-    c:\docume~1\alluse~1\applic~1\Sunbelt
2010-01-11 20:16:43    155648    ----a-w-    c:\windows\system32\igfxres.dll
2010-01-11 19:47:59    14336    -c--a-w-    c:\windows\system32\dllcache\tsprof.exe
2010-01-11 19:46:58    36927    -c--a-w-    c:\windows\system32\dllcache\padrs411.dll
2010-01-11 19:45:59    6656    -c--a-w-    c:\windows\system32\dllcache\kbdlk41a.dll
2010-01-11 19:44:41    42496    -c--a-w-    c:\windows\system32\dllcache\davcdata.exe
2010-01-11 19:43:59    108544    -c--a-w-    c:\windows\system32\dllcache\appconf.dll
2010-01-11 19:40:31    488    ---ha-r-    c:\windows\system32\logonui.exe.manifest
2010-01-11 19:40:22    749    ---ha-r-    c:\windows\WindowsShell.Manifest
2010-01-11 19:40:22    749    ---ha-r-    c:\windows\system32\wuaucpl.cpl.manifest
2010-01-11 19:40:22    749    ---ha-r-    c:\windows\system32\sapi.cpl.manifest
2010-01-11 19:40:22    749    ---ha-r-    c:\windows\system32\nwc.cpl.manifest
2010-01-11 19:40:22    749    ---ha-r-    c:\windows\system32\ncpa.cpl.manifest
2010-01-11 19:11:51    13753    ----a-r-    c:\windows\SETF4.tmp
2010-01-11 19:11:48    1086058    ----a-r-    c:\windows\SETE8.tmp
2010-01-11 19:11:45    1042903    ----a-r-    c:\windows\SETE5.tmp
2010-01-11 16:31:51    12160    ----a-w-    c:\windows\system32\drivers\mouhid.sys
2010-01-11 16:31:36    9600    ----a-w-    c:\windows\system32\drivers\hidusb.sys
2010-01-11 16:09:31    13753    ----a-r-    c:\windows\SETF3.tmp
2010-01-11 16:09:25    1086058    ----a-r-    c:\windows\SETE7.tmp
2010-01-11 16:09:23    1042903    ----a-r-    c:\windows\SETE4.tmp
2010-01-11 13:17:54    1086058    ----a-r-    c:\windows\SET12D.tmp
2010-01-11 13:17:51    1042903    ----a-r-    c:\windows\SET12A.tmp
2010-01-08 21:06:20    48    ----a-w-    c:\windows\WININIT.INI
2010-01-08 20:51:18    0    d--h--w-    c:\windows\system32\GroupPolicy
2010-01-08 20:46:12    0    d-----w-    c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-08 14:33:37    27944    ----a-w-    c:\windows\system32\sbbd.exe
2010-01-08 14:32:50    0    d-----w-    C:\VIPRERESCUE
2010-01-08 14:12:20    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-07 20:07:12    0    d-----w-    c:\docume~1\alluse~1\applic~1\Applications
2009-12-15 01:35:11    0    d-----w-    c:\docume~1\alluse~1\applic~1\Seagull Software

==================== Find3M  ====================

2010-01-11 19:38:32    22720    ----a-w-    c:\windows\system32\emptyregdb.dat
1601-01-01 00:03:52    51200    --sha-w-    c:\windows\system32\hohikelu.dll
1601-01-01 00:03:52    51200    --sha-w-    c:\windows\system32\lemirifo.dll
1601-01-01 00:03:28    61440    --sha-w-    c:\windows\system32\lifakobe.dll
1601-01-01 00:03:52    51200    --sha-w-    c:\windows\system32\videpado.dll
1601-01-01 00:03:28    92160    --sha-w-    c:\windows\system32\wayebomi.dll
1601-01-01 00:03:28    38400    --sha-w-    c:\windows\system32\zunadahi.dll

============= FINISH: 11:06:14.31 ===============

Edited by ghen, 12 January 2010 - 11:25 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:28 AM

Posted 17 January 2010 - 07:47 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you run this rootkit scanner

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 ghen

ghen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 18 January 2010 - 08:10 AM

Thanks for the assistance Mole. I'm receiving help elsewhere for this problem and I don't want to confuse anything so you can close this thread.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:28 AM

Posted 18 January 2010 - 08:55 AM

Thanks for letting me know, ghen. smile.gif

Good luck getting your problem sorted.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users