0

Hi everyone.
Well,I don't know how to deal with this problem.
Malwarebytes'Anti-malware,found 2 Generic.Bot.H but,there is no way to delete them.

Registry Key :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{453e36y7-4080-42bf-6to5-27q74a2tn61k}

File :
C:\Windows\System32\winlog\winlog.exe

I used HijackThis and this is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:45 μμ, on 19/11/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVD0.dll
R3 - URLSearchHook: Messenger Plus Live Greece Toolbar - {aca12d39-b4c1-42f6-a487-aaf892905f9f} - C:\Program Files\Messenger_Plus_Live_Greece\tbMes2.dll
O1 - Hosts: ώ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVD0.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Messenger Plus Live Greece Toolbar - {aca12d39-b4c1-42f6-a487-aaf892905f9f} - C:\Program Files\Messenger_Plus_Live_Greece\tbMes2.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVD0.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Messenger Plus Live Greece Toolbar - {aca12d39-b4c1-42f6-a487-aaf892905f9f} - C:\Program Files\Messenger_Plus_Live_Greece\tbMes2.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [HKLM] C:\Windows\system32\winlog\winlog.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [1WKTqlPRxSXfVBKK] C:\Users\Mike\AppData\Roaming\cybergatecrypted.exe
O4 - HKCU\..\Run: [HKCU] C:\Windows\system32\winlog\winlog.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Free YouTube Download - C:\Users\Mike\AppData\Roaming\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Mike\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Υπηρεσία Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11212 bytes

According to HijackThis log,there are 2 winlog.exe:
O4 - HKLM\..\Run: [HKLM] C:\Windows\system32\winlog\winlog.exe
O4 - HKCU\..\Run: [HKCU] C:\Windows\system32\winlog\winlog.exe

I don't have the knowledge and the experience to understand more than that...

I installed OTM but unfortunately,I have no idea about,what exactly do I have to write in OTM "Paste instructions for items to be moved" field so,I would be able to remove them,by using the "MoveIt" option.

I also found the registry entry (by using run command and "registry") and perhaps I could delete it manually but,I'm sure that,it wouldn't be the proper thing to do...
I would appreciate any help you can give me.

I use Windows 7
Thank you and...I'm sorry for my English.

2
Contributors
12
Replies
13
Views
6 Years
Discussion Span
Last Post by mikeelo
0

Hi, Welcome to daniweb,
First we prefer that people begin with the steps found on our Read Me First sticky
http://www.daniweb.com/forums/thread134865.html
You HAVE completed one of these steps and that is running MBA-M however you only posted a portion of the MBA-M log. We need to see the Entire log from top to bottom, not just the infection notations. Please post back with that entire log.
We also would like you to this portion of the Read Me sticky which is the running of
the Microsoft® Windows® Malicious Software Removal Tool
*Due to the increasing prevalence of Rootkits, this step is especially important if you do not run this tool regularly when visiting Windows Updates.
Skip the ATF cleaner and instead use the built in Disk Cleaner on the computer. To access this go to Start, All Programs, Accessories, System Tools, Disk cleaner. Have it clean out ALL temp files there.
Since DDS is not compatible with Windows 7 you can use HiJackThis but the version of HijackThis you used is an old one. Please uninstall that one and download the newest version, which is version 2.0.4
http://free.antivirus.com/hijackthis/

Post back this the full MBA-M file and the new HJT log.
Judy

0

Hi.
You're absolutely right about "read me first"...no excuses.
The reason that,I didn't post MBA-M log,is because of the Greek language.I thought,it wouldn't be so useful.
Anyway,it doesn't matter anymore.Format was the "solution" since,a black screen was presented,every time I was trying to turn on my pc.No access at all,no safe mode,no nothing!
Thanks for replying back and for your valuable advices.

0

Yes,I think it was...
Backup saved my life!
Thanks once again for the advices.

0

One more piece of advice, if something like this happens again and you need to run tools for scans and post them here or another forum where the basic language is English then either use the English version of the tool or run the logs through a translator. There are many available online for free. Here is one I have used in the past;

http://www.stars21.com/translator/
Here is one translated from English to Greek
Malwarebytes 'Anti-Malware 1,46
www.malwarebytes.org

Βάση δεδομένων Έκδοση: 5142

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/11/2010 4:01:07 μμ
MBAM-log-2010-11-18 (16-01-07). txt

Τύπος σάρωσης: Πλήρης σάρωση (C: \ |)
Αντικείμενα σάρωση: 272471
Χρόνος: 47 λεπτά (ες), 12 δευτερόλεπτα (ες)

Μολυσμένες διεργασίες στη μνήμη: 0
Στοιχεία μνήμης Μολυσμένα: 0
Μολυσμένα κλειδιά μητρώου: 3
Μητρώο Μολυσμένες τιμές: 2
Μητρώο στοιχεία δεδομένων Μολυσμένα: 0
Φάκελοι Μολυσμένα: 0
Αρχεία Μολυσμένα: 4

Μολυσμένες διεργασίες στη μνήμη:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Στοιχεία μνήμης Infected:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένα κλειδιά μητρώου:
HKEY_CLASSES_ROOT \ setup.player (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CLASSES_ROOT \ setup.player.2k2 (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CLASSES_ROOT \ CLSID \ {35b7e48b-9d81-4c6c-9578-5fd4f620d886} (Spyware.MarketScore) -> σε καραντίνα και διαγράφηκε με επιτυχία.

Μητρώο Μολυσμένες τιμές:
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ curre ntVersion \ RunOnce \ 36064180 (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ curre ntVersion \ RunOnce \ 455084189 (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.

Μητρώο στοιχεία δεδομένων Infected:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Φάκελοι Μολυσμένα:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Αρχεία Μολυσμένα:
C: \ Users \ Suzanne \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Security Tool.LNK (Rogue.SecurityTool) -> σε καραντίνα και διαγράφηκε με επιτυχία.
C: \ Users \ Suzanne \ AppData \ Local \ 36064180.exe (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.
C: \ Windows \ 0 (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.
C: \ Users \ Suzanne \ AppData \ Local \ 455084189.exe (Trojan.SCTool.Gen) -> σε καραντίνα και διαγράφηκε με επιτυχία.


The one below is good for various phrases or sentences but have never tried i on a full log so I don't know if the formatting can be held.
http://babelfish.yahoo.com/

Edited by jholland1964: n/a

0

I hope this won't happen again:)
But,I know that,it's very probable...
Thank you very much,I'll remember this.

0

It ISN'T probable if you use safe surfing rules, top of the line security programs, don't use P2P like uTorrent or any other programs like it, which is truly the easiest way to get a serious infection and do regular scans.

0

Well,now I see the translation...it is very accurate!
The truth is that,till now (and I'm a user for many years),I've never had serious problems.
As a matter of fact,it is the second time I use the reformat option and the first time was not because of an infection,if I remember well...
Of course,in any case,you are absolutely right.

0

That is good to know the translation is accurate. I, like most others in the USA are pretty much "flying blind" when it comes to other languages as we don't learn them here as is done in other countries in the world. I know most others also learn English as well as their own native language. That is one thing very lacking in our educations.

0

Yes,I understand but,from the other hand,you are lucky,in a way because everybody can speak some English,more or less...
Take for example me!I can't speak very well but,good enough,in order for me to do my "job"!
You wouldn't like to learn Greek,believe me...very difficult:)

0

Well,maybe it was:)
Any kind of knowledge,including languages,it is good...
I need to improve my knowledge of English and pc stuff for sure:)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.