Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware defense (I think)- tried everything


  • Please log in to reply
3 replies to this topic

#1 kellyamt

kellyamt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 15 January 2010 - 08:00 PM

I think that malware defense is still on the hard drive even though Malwarebytes Anti-Malware has been run successfully 4 times, and also supposedly removed these items: Trojan.Vundo, and a root key H8SRT.... etc. Tried to do a system restore but you click "Next" and nothing happens. Not sure if this is malware or a trojan or what. It'll be ok for awhile after I run the MMAM but then if I restart it it's all right back again. It is preventing me from opening certain webpages and wouldn't let me open MMAM until I tricked it using your advice. When I look in the Task Manager it keeps running iexplore.exe even though I haven't opened IE. We have Windows XP. Here is the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 19:40:18.76 on Fri 01/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.319 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [twunk_32x.exe] c:\docume~1\owner\locals~1\temp\twunk_32x.exe
uRun: [Malware Defense] "c:\program files\malware defense\mdefense.exe" -noscan
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\XnfVBdk3N.exe" /runcleanupscript
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235226919609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\fhp2fwc8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319576&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\fhp2fwc8.default\extensions\{a298ed31-d405-40e2-880f-b7511948e582}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\fhp2fwc8.default\extensions\{a298ed31-d405-40e2-880f-b7511948e582}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\fhp2fwc8.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2009-5-14 131968]
R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2009-5-14 39168]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-9 38224]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2009-5-14 18304]

=============== Created Last 30 ================

2010-01-13 13:49:29 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 14:45:12 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-10 14:45:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-10 14:44:14 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-24 23:42:37 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2009-12-24 23:42:18 0 d-----w- c:\program files\TVUPlayer
2009-12-21 16:11:51 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-21 16:11:35 0 d-----w- c:\windows\nview
2009-12-21 16:11:15 0 d-----w- c:\program files\Broadcom
2009-12-21 05:12:23 0 d-----w- c:\program files\Broadcom(2)
2009-12-21 05:06:31 0 d-----w- c:\program files\Broadcom Management Programs
2009-12-21 05:04:22 0 d-----w- C:\dell
2009-12-20 17:30:44 88566 ----a-w- c:\windows\system32\nvapps.xml
2009-12-20 17:30:40 17056 ----a-w- c:\windows\system32\nvdisp.nvu
2009-12-20 17:30:40 0 d-----w- c:\windows\nview(2)
2009-12-20 07:26:43 0 d-----w- c:\documents and settings\owner\LocalLow
2009-12-18 03:01:00 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-12-18 03:00:29 0 d-----w- c:\program files\Winamp Detect
2009-12-17 04:02:16 1409 ----a-w- c:\windows\system32\tmp7BA13.FOT

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 21:23:48 189744 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-03 21:19:33 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-12 17:46:43 249856 ------w- c:\windows\Setup1.exe
2009-11-12 17:46:40 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-12 15:25:05 197411 ----a-w- c:\windows\Photo Pos Pro Uninstaller.exe
2009-11-11 15:32:22 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 19:18:28 368640 ----a-w- c:\windows\system32\rewire.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 19:40:44.42 ===============

I also ran that Root Repeal report. Let me know if you want to see it. Thanks for any help you can provide!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:58 PM

Posted 17 January 2010 - 10:52 PM

Hello kellyamt,

Please follow this Remove Malware Defense (Uninstall Guide)


Please post the that Root Repeal report and the Malwarebytes log.

Please tell me the antivirus you are running.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 17 January 2010 - 11:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kellyamt

kellyamt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 06 February 2010 - 11:43 AM

Thank you for writing back, I really appreciate it. We ended up wiping our hard drive and reinstalling windows.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:58 PM

Posted 06 February 2010 - 01:16 PM



Thanks for letting me know. smile.gif
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users