Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes removes files, but they keep coming back


  • This topic is locked This topic is locked
2 replies to this topic

#1 JSmith12345

JSmith12345

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 12 October 2010 - 04:15 AM

Hi, recently I was infected by a whole bunch of trojan and rootkit viruses, including the insidious rogue “antivirus” program Security Tool. I was able to remove them and restore my computer’s functionality. Since then, I’ve run Malwarebytes several times over the past few weeks, but each time the scan log says I have three files associated with Rogue.Antivirus2010 and one file associated with Malware.Trace. Each time I run the software, I get a message saying that these files were “quarantined and deleted successfully,” but after I restart my computer and rerun the software, the four files reappear. Although my computer appears to running well at the moment, I am worried these are latent infections. Below is the log from my latest scan:

alwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4746

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-10-12 오후 4:53:32
mbam-log-2010-10-12 (16-53-32).txt

Scan type: Quick scan
Objects scanned: 150087
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Rogue.Antivirus2010) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\오수아\Local Settings\Temp\in1A.tmp (Malware.Trace) -> Quarantined and deleted successful

----------------------------------------------------------------------------
Here are the contents of my DDS file:

DS (Ver_10-10-10.03) - NTFSx86
Run by 오수아 at 16:57:47.85 on 2010-10-12
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1042.18.2037.1421 [GMT 9:00]

FW: AhnLab V3 Internet Security 8.0 *disabled* {6CBF11B7-327F-4AB6-BBD3-AE8650A9D64C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\오수아\바탕 화면\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://bbs.epublic.co.kr/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader 링크 도우미: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: AD Softbank: {2d73d44e-c0e2-4141-9970-9d1105732d46} - c:\progra~1\sbsgui~1\sbs_set1.dll
EB: {30AB379D-39CD-4B14-BD14-0E9AEE8444E0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Korean IME Migration] c:\progra~1\common~1\micros~1\ime12\imekr\IMKRMIG.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ctfmon.exe] ctfmon.exe
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2007-12-27 4300]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-1 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-6 133104]
S3 dhzrfrme;dhzrfrme;\??\c:\windows\system32\drivers\dhzrfrme.sys --> c:\windows\system32\drivers\dhzrfrme.sys [?]
S3 fawtjboo;fawtjboo;\??\c:\windows\system32\drivers\fawtjboo.sys --> c:\windows\system32\drivers\fawtjboo.sys [?]
S3 FsUsbDisk;FsUsbDisk;c:\windows\system32\FsUsbDisk.sys [2009-4-7 36576]
S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.sys [2007-3-14 38200]
S3 JRSUKD24;JRSUKD24;c:\windows\system32\JRSUKD24.sys [2007-3-14 6784]
S3 kcrtx86;kcrtx86;c:\windows\system32\kcrtx86.sys [2010-3-3 126048]
S3 kukorjaj;kukorjaj;\??\c:\windows\system32\drivers\kukorjaj.sys --> c:\windows\system32\drivers\kukorjaj.sys [?]
S3 rbuhdpgi;rbuhdpgi;\??\c:\windows\system32\drivers\rbuhdpgi.sys --> c:\windows\system32\drivers\rbuhdpgi.sys [?]
S3 rwmzvjdj;rwmzvjdj;\??\c:\windows\system32\drivers\rwmzvjdj.sys --> c:\windows\system32\drivers\rwmzvjdj.sys [?]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]
S3 sshpmdfl;SAMSUNG HSP Plus Modem Filter Driver;c:\windows\system32\drivers\SHPACMFilter.sys [2009-3-10 6656]
S3 sshpmdm;SAMSUNG HSP Plus Modem Drivers;c:\windows\system32\drivers\SHPACM.sys [2009-3-10 30208]
S3 sshpusb;SAMSUNG HSP Plus USB Driver disks;c:\windows\system32\drivers\SHPUSB.sys [2009-3-10 25600]
S3 VSHOOK;VSHOOK;c:\windows\system32\drivers\vshook.sys [2010-1-21 30592]

=============== Created Last 30 ================

2010-10-12 07:54:47 54016 ----a-w- c:\windows\system32\drivers\jjwp.sys
2010-10-12 07:05:08 -------- d-----w- c:\program files\Trend Micro
2010-10-05 12:46:21 -------- d-----w- c:\program files\Panda Security
2010-10-01 06:46:26 -------- d-----w- c:\windows\새 폴더
2010-10-01 02:27:59 -------- d-----w- c:\program files\Livestation
2010-10-01 02:25:12 23360000 ----a-w- c:\documents and settings\오수아\Livestation-3.2.0.msi
2010-09-30 05:44:02 578408 ----a-w- c:\windows\mpg123dsfSp.ax
2010-09-30 05:44:02 206184 ----a-w- c:\windows\skcbgm.exe
2010-09-30 05:44:01 67184 ----a-w- c:\windows\CMListControl.dll
2010-09-30 05:44:01 575088 ----a-w- c:\windows\SKCDecd.ax
2010-09-30 05:44:01 485320 ----a-w- c:\windows\skcppl.dll
2010-09-30 05:44:01 460136 ----a-w- c:\windows\skcbgm.dll
2010-09-30 05:44:01 323944 ----a-w- c:\windows\mp3ParseStream.ax
2010-09-30 05:44:01 296904 ----a-w- c:\windows\skcaset1.dll
2010-09-30 05:44:01 198256 ----a-w- c:\windows\skcwmf.dll
2010-09-30 05:44:01 144744 ----a-w- c:\windows\skcbgmf1.dll
2010-09-30 05:44:01 136816 ----a-w- c:\windows\SKCMpg.ax
2010-09-30 03:53:57 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{7D4B3D1D-104E-4507-9123-568BC721B7E2}
2010-09-30 03:53:53 -------- d-----w- c:\program files\Transparent
2010-09-30 03:53:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Transparent
2010-09-24 02:09:55 296904 ----a-w- c:\windows\system32\skcaset1.dll

==================== Find3M ====================

2010-10-07 05:52:13 38200 ----a-w- c:\windows\system32\JRSKD24.sys
2010-10-07 05:52:13 12728 ----a-w- c:\windows\system32\JRSUKD25.SYS
2010-10-07 05:52:13 126048 ----a-w- c:\windows\system32\kcrtx86.sys
2010-10-01 02:28:04 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-10-01 02:28:04 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-09-24 02:09:55 485320 ----a-w- c:\windows\system32\skcppl.dll
2010-08-26 13:10:28 16896 ----a-w- c:\windows\system32\userinit.exe
2010-08-25 11:47:27 46640 ----a-w- c:\windows\system32\npPCStatusUninst.exe
2010-08-25 11:47:27 124536 ----a-w- c:\windows\system32\npPCStatus.ocx
2010-08-09 20:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-09 20:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 16:58:40.96 ===============







Anyways, thanks a million in advance for your assistance. I’m so appreciative of the work you guys do.

Attached Files



BC AdBot (Login to Remove)

 


#2 JSmith12345

JSmith12345
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 12 October 2010 - 06:37 AM

It seems I have resolved the issue on my own. Please consider this thread closed, and thanks again!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 12 October 2010 - 04:12 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users