0

Hi there,
Complete newbie, my PC's not been able to connect to the internet since malwarebytes removed a trojan file. I've run the requested logs as below. MBA-M did not find anything. I've no idea what to do or what it means. Please help!


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-03 09:18:16
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AACS-00ZUB0 rev.01.01B01
Running: 4e9nu7iw.exe; Driver: C:\Users\Damnably\AppData\Local\Temp\uwliqkog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-03 09:40:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AACS-00ZUB0 rev.01.01B01
Running: 4e9nu7iw.exe; Driver: C:\Users\Damnably\AppData\Local\Temp\uwliqkog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!d!f!`!`!\24!t!s!t!t!r!d!r!s!\30! 19583823

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19048
Run by Damnably at 9:49:00 on 2011-08-03
MicrosoftÆ Windows Vistaô Home Basic 6.0.6002.2.1252.44.1033.18.2046.1262 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uURLSearchHooks: midicair Toolbar: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - c:\program files\midicair\tbmidi.dll
mURLSearchHooks: midicair Toolbar: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - c:\program files\midicair\tbmidi.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: midicair Toolbar: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - c:\program files\midicair\tbmidi.dll
TB: midicair Toolbar: {77f8c945-4b74-4bd6-a073-e0d1997edce8} - c:\program files\midicair\tbmidi.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [MedionVFD] "c:\program files\medion info display\MdionLCMLH.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [LanguageShortcut] "c:\program files\home cinema\powerdvd\language\Language.exe"
mRun: [PCMService] "c:\program files\home cinema\powercinema\PCMService.exe"
mRun: [toolbar_eula_launcher] c:\program files\googleeula\EULALauncher.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Skytel] Skytel.exe
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\mLAN Manager.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Scanner Finder.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8FE76106-3F2E-45D2-909D-2289554B95F0} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\damnably\appdata\roaming\mozilla\firefox\profiles\avvtyu7c.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-4-7 17920]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-10-16 33792]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2008-4-7 13976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-9 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-9-18 1153368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-9 135664]
S3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\system32\drivers\mLanBus.sys [2008-4-25 93568]
S3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\system32\drivers\mLanMIDI.sys [2008-4-25 12800]
S3 mLanPDev;YAMAHA mLAN Physical Driver;c:\windows\system32\drivers\mLanPDev.sys [2006-10-4 20992]
S3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\system32\drivers\mLanStrm.sys [2008-4-25 25472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-02 23:50:34 -------- d-----w- c:\users\damnably\appdata\local\Adobe
2011-08-02 06:07:04 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3f6ffb72-c0ab-4ecb-8956-c9c29da6722c}\mpengine.dll
2011-07-15 10:22:56 -------- d-----w- c:\users\damnably\appdata\roaming\Spotify
2011-07-15 10:22:56 -------- d-----w- c:\users\damnably\appdata\local\Spotify
2011-07-15 10:22:52 -------- d-----w- c:\program files\Spotify
2011-07-06 21:37:29 -------- d-----w- c:\users\damnably\appdata\local\ApplicationHistory
2011-07-06 19:57:46 -------- d-----w- c:\windows\system32\URTTEMP
.
==================== Find3M ====================
.
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 9:49:19.76 ===============

5
Contributors
12
Replies
13
Views
6 Years
Discussion Span
Last Post by jholland1964
0

Some trojans attach themselves into the operating systems IP stack. The IP stack is basically a list of programs or processes that handle the data coming into your PC. Some trojans will embed themselves into this stack so their removal cause a 'hole' in the stack and the process is now broken.

There are different methods to repair your IP configuration depending on your version of Windows. You should search for 'Repairing IP Stack' + your version of windows to find the fix.

Make sure that the trojan is completely removed before fixing the stack or you will have the same problem the next time you remove it. Run MalwareBytes until it comes back clean.

I found this link on the Microsoft Site: http://support.microsoft.com/kb/299357

Edited by svilla: Additional Information

0

We need to see the log produced by MBA-M that actually removed the Trojan. We can recommend nothing until we know which one we are dealing with.
You also need to copy/past that Attach.txt log here, we do not open attached files, our sticky is quite specific with that instruction.

0

This is the current MBA-M scan log, and I also found the protection log from before the trojan removal below. Something failed.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

04/08/2011 00:43:09
mbam-log-2011-08-04 (00-43-09).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 270556
Time elapsed: 34 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


PROTECTION-LOG-2011-08-02

06:47:34 (null) MESSAGE Scheduled update executed successfully
06:48:12 Damnably MESSAGE Protection started successfully
06:48:16 Damnably MESSAGE IP Protection started successfully
06:48:17 Damnably MESSAGE IP Protection stopped
06:48:20 Damnably MESSAGE Database updated successfully
06:48:22 Damnably MESSAGE IP Protection started successfully
06:49:30 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent QUARANTINE
06:49:30 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
06:49:31 Damnably ERROR Quarantine failed: DeleteFile failed with error code 5
06:49:50 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
06:54:37 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
06:54:43 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
06:54:43 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:50 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:51 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:51 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:51 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:51 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:58 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:58 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:58 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:58 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:04:58 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:09:43 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:09:43 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:09:44 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:09:44 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:15:02 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:15:02 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:26:56 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:26:56 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
07:27:07 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:11:47 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:23:36 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:27:09 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:27:55 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:28:02 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:29:19 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:29:26 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:40:31 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:42:50 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:43:16 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
08:57:14 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:08:44 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:10:57 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:29:09 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:37:15 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:37:23 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:37:38 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:49:02 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
09:49:02 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
09:49:04 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
09:49:04 Damnably DETECTION C:\Windows\system32\msible.dll Trojan.Agent DENY
09:51:13 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:57:05 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:58:52 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
09:59:08 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:18:50 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:19:18 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:19:36 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:26:33 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:36:38 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:41:13 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:41:19 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:42:07 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:43:29 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
10:47:02 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:10:42 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:11:12 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:16:01 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:20:09 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:24:08 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:39:25 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:39:28 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:39:53 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
11:42:22 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:04:34 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:07:33 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:07:51 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:08:01 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:08:10 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:08:21 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:08:54 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
13:08:58 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:06:11 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:06:37 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:10:24 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:11:59 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:12:34 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:13:17 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:22:12 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:24:01 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent DENY
14:27:36 Damnably DETECTION C:\WINDOWS\SYSTEM32\MSIBLE.DLL Trojan.Agent ALLOW
14:34:32 Damnably MESSAGE Protection started successfully
14:34:36 Damnably MESSAGE IP Protection started successfully
15:59:03 Damnably MESSAGE Protection started successfully
15:59:06 Damnably MESSAGE IP Protection started successfully
16:32:06 Damnably ERROR IsValidLicenseKey failed with error code 13
16:32:06 Damnably MESSAGE Protection stopped
17:27:31 Damnably ERROR IsValidLicenseKey failed with error code 13
17:27:31 Damnably MESSAGE Protection stopped

Any help appreciated

0

Ant this is the attach.txt below. Sorry the message at the top confused me as it says to zip and attach rather than post it.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
MicrosoftÆ Windows Vistaô Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 09/09/2010 17:34:39
System Uptime: 03/08/2011 07:34:42 (2 hours ago)
.
Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7318
Processor: Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz | Socket 775 | 2394/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 258.188 GiB free.
D: is FIXED (FAT32) - 15 GiB total, 10.045 GiB free.
E: is Removable
F: is Removable
G: is Removable
H: is CDROM (CDFS)
I: is FIXED (FAT) - 2 GiB total, 0.059 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP388: 10/07/2011 15:19:34 - Scheduled Checkpoint
RP389: 11/07/2011 09:22:52 - Scheduled Checkpoint
RP390: 13/07/2011 11:12:23 - Windows Update
RP391: 14/07/2011 04:34:01 - Scheduled Checkpoint
RP392: 15/07/2011 12:48:43 - Scheduled Checkpoint
RP393: 16/07/2011 10:52:46 - Windows Update
RP394: 17/07/2011 13:27:18 - Scheduled Checkpoint
RP395: 18/07/2011 14:51:11 - Scheduled Checkpoint
RP396: 19/07/2011 09:08:33 - Windows Update
RP397: 20/07/2011 08:41:48 - Scheduled Checkpoint
RP398: 21/07/2011 12:36:32 - Scheduled Checkpoint
RP399: 22/07/2011 12:03:32 - Scheduled Checkpoint
RP400: 23/07/2011 10:27:39 - Windows Update
RP401: 24/07/2011 00:18:41 - Scheduled Checkpoint
RP402: 25/07/2011 00:00:04 - Scheduled Checkpoint
RP403: 25/07/2011 18:44:17 - Scheduled Checkpoint
RP404: 26/07/2011 19:05:52 - Scheduled Checkpoint
RP405: 27/07/2011 17:27:26 - Scheduled Checkpoint
RP406: 28/07/2011 09:21:46 - Windows Update
RP407: 29/07/2011 15:15:04 - Scheduled Checkpoint
RP408: 30/07/2011 22:50:23 - Windows Update
RP409: 31/07/2011 13:19:08 - Scheduled Checkpoint
RP410: 01/08/2011 17:30:20 - Scheduled Checkpoint
RP411: 02/08/2011 07:06:03 - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.20
ABBYY FineReader OCR Engine
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
ATI Catalyst Install Manager
BS.Player FREE
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
ccc-core-static
ccc-utility
CCC Help English
Conduit Engine
Dealio Toolbar v4.0.2
DivX Setup
eMule
EPSON Print CD
FileZilla Client 3.3.5.1
Free Mp3 Wma Converter V 1.91
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Malwarebytes' Anti-Malware version 1.51.1.1800
Medion Info Display (MCE)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2003
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
midicair Toolbar
mLAN Tools 2.0
mLANApplications for Yamaha
Mozilla Firefox 5.0 (x86 en-GB)
MP4 To MP3 Converter V3.0.4
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
OpD2d
OpenOffice.org 3.2
Platform
PowerCinema
PowerDVD
PowerProducer
RarZilla Free Unrar
Realtek High Definition Audio Driver
ScanWizard 5
Search Settings v1.2.3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Skins
Sony Sound Forge 8.0
Sound Forge Audio Studio 10.0
Spotify
Spybot - Search & Destroy
SSC Service Utility v4.30
Steinberg Cubase SX v3.1.1.944
Syncrosoft's License Control
SyncroSoft Emu (Remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VCRedistSetup
VIA Platform Device Manager
Windows Media Player Firefox Plugin
X10 Hardware(TM)
Yamaha Studio Manager
.
==== End Of File ===========================

0

What is that protection log? Honestly am not familiar with that.

That midicair Toolbar is really considered very questionable. It is a Conduit toolbar. Conduit toolbars are reputed to have a certain trackware functionality.
You should really give serious consideration to uninstalling it if you personally installed it and if you didn't choose to install it then by all means get rid of it.
If that MBA-M was run today it is way out of date. Your Database version: 7035. Most Current Database version is 7367. The absolute rule with MBA-M is update before each and every scan, even scans done one after another. They release multiple updates daily, sometimte just a few minutes apart. You need to update and run another Full Scan.

Edited by jholland1964: n/a

0

Hi,

The protection log was a log from a scan on MBA-M from before it removed the trojan.

I'm currently on a macbook, I'm not sure how to update MBA-M for a PC that won't connect to the internet, on a mac?

I tried to reset the winsock cmd but it's come up with this error:

"Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 11003"

0

If the computer is infected which prevents you in updating MBAM, you should try using the Malwarebytes manual update process:

Using another PC, download the Malwarebytes database installer from http://data.mbamupdates.com/tools/mbam-rules.exe
Save mbam-rules.exe on a USB or flash drive and transfer it to the affected computer
Open mbam-rules.exe to start updating MBAM

Did you try to run that winsock fix as Administrator? That must be done if using Vista

Repair and reset the Windows Vista

Click on Start button.
Type Cmd in the Start Search text box.
Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request .
Type netsh winsock reset in the Command Prompt shell , and then press the Enter key.
Restart the computer.

0

did both. no effect. deleted winsock and winsock2, manually reinstalled TCP/IP. now the PC says it's connected to internet but pages still won't load/display.........

0

I suspect the problem involves the Conduit Engine which hijacks search results and is a nightmare to remove. It can cause "Connection was reset" and numerous other errors. You still have it listed as an installed program which is a serious problem, especially since it is greyware that not all anti-malware programs (like Malwarebytes) will remove. Instead they will sometimes remove the affiliate program that was tied in with the Conduit engine. Supposedly Stopzilla (which is an otherwise weak anti-malware program) removes it but I can't say for sure since I am currently troubleshooting with my parent's over the phone and it hasn't finished yet.

The Conduit Engine can also show up as the Game Master Community Toolbar.

0

C:\Windows\system32\msible.dll

To have that file I am assuming you have Windows 7. I believe that file might be something to do with the windows idle processor. What I would suggest doing is booting up windows in safe mode then renaming that file by putting the number 3 at the end. Then put in the windows installation disk and do a repair of the system and it should replace that file with a clean one. If not then rename that file back.

If it comes down to it I think you can reinstall windows without loosing your files but you loose anything in Program Files and any Registry entries. But that's an assumption from a past experience.

0

To have that file I am assuming you have Windows 7. I believe that file might be something to do with the windows idle processor. What I would suggest doing is booting up windows in safe mode then renaming that file by putting the number 3 at the end. Then put in the windows installation disk and do a repair of the system and it should replace that file with a clean one. If not then rename that file back.

If it comes down to it I think you can reinstall windows without loosing your files but you loose anything in Program Files and any Registry entries. But that's an assumption from a past experience.

Sorry but you have misread the name of the file in question,
the file removed was C:\Windows\system32\msible.dll with a "b" not a "d"
poster is also running Vista, not Windows 7.
That file very likely was/is a trojan. But since the poster has never returned we have no way of knowing whether he has been able to get the internet working again.

Edited by jholland1964: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.