Virus not allowing me to open Malwareantivirus or HJT

Question

Lewis_UnderGrad 0 Light Poster

14 Years Ago

Hi guys,

I have some form of virus on my mahcine and have tried removing it. So far i have ran Avira on my machine which detected 21 files.

My next protocol would be to run malwarebytes however when i try to open the application, it doesnt actaully open. I have tried opening the application within SafeMode too but still unsuccessful. HTJ fails to open too.

What else can i try people??

windows-virus

5 Contributors
18 Replies
360 Views
2 Weeks Discussion Span
Latest Post 14 Years Ago Latest Post by dantheavgman

All 18 Replies

Rik_ 111 Nearly a Posting Maven

14 Years Ago

Go here - http://www.kaspersky.com/virusscanner and use the online scanner and see if that helps.

What version of windows are you using?

Rik_ 111 Nearly a Posting Maven

14 Years Ago

Cool, any luck with that online scanner?

crunchie 990 Most Valuable Poster

14 Years Ago

Yes. Try this though:

Delete the MBA-M installation file that is on your pc at present.
Go back to download MBA-M again. Click on the link to download it. Select the "Save" option.
When the panel pops up to ask you where you wish to save the file, before choosing where, rename the file. I chose "bambam" in my screenshot just as an example.
Once you have saved it, try again to install it.

Rik_ 111 Nearly a Posting Maven

14 Years Ago

Something you can try is superantispyware - http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE

It's not as powerful as Mbam but it may be able to clean your machine enough to allow Mbam to work.

jholland1964 650 Posting Expert

14 Years Ago

Here is the suggestion from the MBA-M site.
Delete that install file, also do a search to be sure it has NOT been installed and just doesn't show.
Then do the following:

Please download Malwarebytes' Anti-Malware to your desktop and save.
In order to get MBAM to install on the PC it will have to be installed under safemode
Note**This is usually not advised as MBAM does not install to its full capabilities under safe mode but for the task in hand it will do the job required.
Once in safe mode and you have your desktop in front of you
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:
* Launch Malwarebytes' Anti-Malware
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

If this does work, installing in Safe Mode and then also running in Safe Mode it is then advised that you again UNINSTALL MBA-M. Download it again and install it again only this time in Normal Mode. Then run another scan with it and have it remove all that is found.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Lewis_UnderGrad 0 Light Poster · Answer 1 · 2009-06-20T20:03:42+00:00

What version of windows are you using?

Hi, im using Windows XP Home Edition

Lewis_UnderGrad 0 Light Poster · Answer 2 · 2009-06-21T15:25:19+00:00

I ran an online scanner that i found on the Microsoft site (OneSecurity i think its called). It number 8 files and removed them. My mahcine appears to be a lot faster now but still cant open mbam or HJT.

I've read that renaming mbam.exe to boot.exe is another way to get mbam to work, is this true??

Lewis_UnderGrad 0 Light Poster · Answer 3 · 2009-06-24T19:22:01+00:00

Hi Crunchie,

I tired your suggestion and the SafeMode route but still, malwarebytes wont open.

What else can i try as the problem still persists?

Lewis_UnderGrad 0 Light Poster · Answer 4 · 2009-06-25T02:31:20+00:00

Hi jholland,

I tried your suggestion and although MBA installs in Safe Mode (and Normal) the application wont launch once installed.

I have uploaded a print screen of the processes that are running when my machine loads, please see the link below:

http://i256.photobucket.com/albums/hh179/v1raj/Misc/TaskTray.jpg

You may need to click on the image to enlarge it to clearly identify the process names.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2009-06-25T10:41:13+00:00

Are you running an anti-virus program or a firewall? If so, disconnect from the internet and then try turning both off and try MBA-M.

Lewis_UnderGrad 0 Light Poster · Answer 6 · 2009-06-25T20:16:25+00:00

Tried the above and MBA-M successfully launched and updated. 19 issues were found and removed. Here is the log:

Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3e9adb4b-ecfc-4889-88ec-3ad373003605}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e5f96af2-f1e0-40dc-b9c8-0c06ca88faf2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETkdpkipxe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETmyqomqpp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETkvssfldy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

However, the Google redirect problem still exists.. What else can i try?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2009-06-25T20:28:22+00:00

I need to see the TOP of the log, the part that reads like this:
Malwarebytes' Anti-Malware 1.38
Database version: 2319
Windows 5.1.2600 Service Pack 3

06/21/2009 2:11:38 PM
mbam-log-2009-06-21 (14-11-38).txt

Scan type: Quick Scan
Objects scanned: 105155
Time elapsed: 7 minute(s), 56 second(s)

However, the Google redirect problem still exists.. What else can i try?

You have to give it time here, this is not the only step you will need to do. Run a new HJT scan and post the log

Lewis_UnderGrad 0 Light Poster · Answer 8 · 2009-06-25T22:15:05+00:00

Sorry about that, thought i copied all the text.

MBAM-M

Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 3

25/06/2009 09:00:30
mbam-log-2009-06-25 (09-00-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198397
Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{56acb669-4139-5611-cbba-f5acb0f4db09} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3e9adb4b-ecfc-4889-88ec-3ad373003605}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7eb4a71d-fb5a-4f59-ae0e-0009b6affd8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e5f96af2-f1e0-40dc-b9c8-0c06ca88faf2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.137,85.255.112.100 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\SKYNETkdpkipxe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETmyqomqpp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\SKYNETkvssfldy.sys (Trojan.Agent) -> Quarantined and deleted successfully.

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:12, on 25/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\jimmy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242335088296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 5725 bytes

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2009-06-25T23:56:42+00:00

Run HJT again and place a check mark next to the following entries if they remain;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://google.com/[/url]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing

Once you have placed the check marks click the Fix Checked button.
Exit HJT.
Reboot the computer.
Next do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scan log ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Again Reboot the System.
Run a new HJT scan and save the log. Post back here with both logs.

Lewis_UnderGrad 0 Light Poster · Answer 10 · 2009-07-02T02:05:11+00:00

Ok, removed the items suggested in HJT..

I then carried out a scan using ESET Sceener as suggested above. 1 threat was found and deleted. Below is the lof file:

ESET Log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=7a3d8a9bb97f3f4dbd92c6375f4669cd
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-01 07:58:41
# local_time=2009-07-01 08:58:41 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 374716562500
# scanned=92597
# found=1
# cleaned=1
# scan_time=2704
C:\Documents and Settings\Vikram Dal\Desktop\Nero 7.10.1.0\Nero 7.10.1.0.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000

I then restarted my machine, updated MBAM, ran a new scan, here is the log:

MBAM

Malwarebytes' Anti-Malware 1.38
Database version: 2358
Windows 5.1.2600 Service Pack 3

01/07/2009 16:19:00
mbam-log-2009-07-01 (16-19-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 201456
Time elapsed: 39 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

I then restarted and ran HJT, here is the log:

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:26, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\jimmy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WISE-FTP Task Planner] "C:\Program Files\AceBIT\WISE-FTP 5\wf_tp.exe" /bg
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242335088296
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 5555 bytes

Hope this helps..

Lewis_UnderGrad 0 Light Poster · Answer 11 · 2009-07-06T23:40:24+00:00

Since my last post, i have not used the machine infected. I ran a scan today and noticed that the file previously identified:

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Was still showing, therefore it was/has not been fully removed.

Here is the report from MBA today:

Malwarebytes' Anti-Malware 1.38
Database version: 2379
Windows 5.1.2600 Service Pack 3

06/07/2009 11:35:31
mbam-log-2009-07-06 (11-35-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200201
Time elapsed: 41 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Does anybody know how to remove this virus?? How dangerous is it?

I've searched the net about the MSIVX rootkit virus and it appears that an app called ComboFix can resolve.

Rik_ 111 Nearly a Posting Maven · Answer 12 · 2009-07-06T23:56:12+00:00

Combofix is indeed what I would recommend.

Please be aware that in some cases combofix can render your pc unbootable.

If you decide to give it a try, make sure you do not touch either your mouse or your keyboard while it is running.

You will have to be patient and allow it to tell you that it has completed successfully before you do anything.

http://www.combofix.org/

Post it's log along with a fresh Mbam log and an HJT log in your next post.

dantheavgman 0 Newbie Poster · Answer 13 · 2009-07-09T14:46:46+00:00

HI, This seems like a UAC rootkit and is my personal favorite infection.

In order to analyse the issue please can you try running the following applications.

http://www2.gmer.net/gmer.zip Please run this if it doesnt run please rename to g.exe and post the log here

Also please can you run the following tool http://ad13.geekstogo.com/RootRepeal.rar

If your clever enough, do a scan on drivers , and hidden services However if you are unsure please post your findings on here and am sure we can advise what to do :)

Thanks

Daniel

AVG

Virus not allowing me to open Malwareantivirus or HJT

Recommended Answers Collapse Answers

All 18 Replies

Recommended Answers