i mean c:/qoobox - where the quarantined stuff is, etc
zbizzy 0 Light Poster
ok to delete the c:/ComboFix folder now too? isnt there some run code like combofix /u or something i need to do now?
zbizzy 0 Light Poster
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:36 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\M-Audio\Ozone\Install\ozinst.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: …
zbizzy 0 Light Poster
ok done... so that's it?
zbizzy 0 Light Poster
here it goes :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:09 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\M-Audio\Ozone\Install\ozinst.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] …
zbizzy 0 Light Poster
so am I clean? good to go? nothing else to remove? id like to mark this thread solved and hand out some rep points if so :)
zbizzy 0 Light Poster
Then you have to disable the McAfee one, this would be one reason for the infections, more than one firewall running can lessen protection not increase it.
I would bet a nickel that the Zone Alarm is the reason for the long MBA-M scans it is most definitely something that the MBA-M people are studying right now....it slows or freezes the scan...therefore making the scan run much longer than it should.
i actually tracked down the infections, it was from a uk news website that i frequent, that was itself infected...
and you are quite possibly right with the zone alarm thing - i disabled zonealarm to run the quick scan and it only took like 5 minutes or whatever it showed there...
zbizzy 0 Light Poster
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:54 PM, on 12/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\M-Audio\Ozone\Install\ozinst.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 …
zbizzy 0 Light Poster
ok, brb :)
zbizzy 0 Light Poster
here's the quick scan log file from mbam, nothing to remove... should i reboot first then run HJT, or go ahead and run it since nothing was said to be removed in mbam?
Malwarebytes' Anti-Malware 1.31
Database version: 1508
Windows 5.1.2600 Service Pack 2
12/16/2008 5:54:22 PM
mbam-log-2008-12-16 (17-54-22).txt
Scan type: Quick Scan
Objects scanned: 58018
Time elapsed: 5 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
zbizzy 0 Light Poster
In going through your logs to see what files were running and which could be stopped using Task Manager I discovered that you are running TWO firewalls, at least, three if the Windows firewall is enabled.
This is an absolute No-No. ONE firewall on a computer is the rule.
This may very well be one reason your MBA-M scans are taking so long...multiple firewalls blocking it's action and causing it to stall, especially Zone Alarm. Get rid of Zone Alarm, uninstall it since the McAfee Firewall is part of your security suite from them.
the zonealarm is on there because i have a couple music software programs that like to dial home and the mcafee actually allows them to do so... the progs are legit software so it isnt that i dont want them detected, i just dont care for the fact that they try to call home with each load up, and zonealarm is the only one ive been able to actually use to block them from doing so... and i dont have windows firewall running, cuz it is a pain in my ass haha
zbizzy 0 Light Poster
And a full scan shouldn't take hours, should take maximum 2 hours or so.....
that what i keep getting told, unfortunately it does as u can see from the other logs ive posted... it is running now in the other room on quick scan, so far so good, nothing detected.... yet :)
zbizzy 0 Light Poster
do i need to run a full scan, or can i run the quick scan? full scan takes HOURS
zbizzy 0 Light Poster
also, what is the childhe.com in the possible infected sites thing? thats a site i never heard of, but it seems when i search it, it is listed as a site infected with the very trojan i have... is it possibly the site the pop ups try to connect to? i always close the window when they pop up before they can connect, so ive never actually let one go long enuff to load...
zbizzy 0 Light Poster
that didnt work either, unfortunately, however, using services.msc i was finally able to get most of mcafee to shut down and then rebooted.... combofix actually ran while i was in the other room on the laptop trying to figure out how to get mcafee to shut down
... here is the log:
ComboFix 08-12-15.08 - Compaq_Owner 2008-12-16 16:59:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1470.1031 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
c:\windows\system32\fudiyeru.dll
c:\windows\system32\goyakazu.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\sozerilu.dll
c:\windows\system32\ururewig.ini
c:\windows\Tasks\svoglprh.job
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.
2008-12-15 22:18 . 2008-12-15 22:18 <DIR> d-------- c:\program files\CCleaner
2008-12-13 15:42 . 2008-12-13 15:42 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-13 12:39 . 2008-12-13 12:39 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2008-12-13 12:38 . 2008-12-13 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 12:38 . 2008-12-13 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 12:38 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 12:38 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 12:11 . 2005-11-12 19:45 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-13 12:11 . 2005-11-12 20:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
…
zbizzy 0 Light Poster
nope, tried that. it restarts itself. NEXT!
zbizzy 0 Light Poster
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.[/B]
Mcafee is impossible to disable or shut down. no matter what i try, even disabling it all in services.msc either makes it restart or I get an access denied - and yes, I am logged in as administrator...
mcafee blocks combofix from operating, and when the pop up asking if i would liketo allow it comes up, i click yes, and it locks up my system and combofix obviously will not run...
any other sugestions?
zbizzy 0 Light Poster
just checkin from work to see if any replies... nope lol... also wanted to mention, after the first run of mba-m it stopped the explorer.exe crashing, however, now whenever firefox is open, it randomly tries to open windows...
zbizzy 0 Light Poster
well, right after the post last night, where i mentioned it taking 8 hours, i started it again, and it is still running, only halfway thru my drive, 10 hours later...
now, instead of patronizing me like you both have been so far, why dont you use the information that is up there and try to actually help me?
when i ran the program, it was up to date. when it was finished running, it was not. I am not going to just sit here in an endless cycle of "you need to update" every time i post a log, because that seems that is all you guys want to say.
so, use what I gave you already and see what you can do, and when I get home from work tonight, I will post the log of the scan that has been running for the past 10 hours, so you can then tell me "your mbam is out of date, please update it and scan again", since most likely it will take another 10 or so hours from the looks of it. Each time I update mbam, it takes longer and longer to scan my drive.
btw --- I turned zonealarm off last night before running the program - so that is definitely not an issue, I have the system disconnected from the net as well, and posting from my laptop...
also, my HD is 1TB in size
zbizzy 0 Light Poster
meaning that file cannot be removed until the computer is rebooted because it must delete it BEFORE it begins to run.
Please update your MBA-M do another scan, REBOOT and then run a new HJT scan and post the log.
I know what delete on reboot means, kthanx.
zbizzy 0 Light Poster
ok, see my edit i made after posting the other post... the version with db 1497 was the one I got yesterday, and hit update yesterday, and the program said it was up to date (around 4pm eastern time is when i got it and installed it) ... it takes almost 8 hours for the program to run the scan, if you can see from my logs i posted... so in the 24 hours or so since i first got the program, and updated it, it has updated the database 7 more times? so essentially, by the time it is done running and I can get on the computer to post it, the database will have updated again, and instead of trying to help, is someone going to tell me I need to update it again since by the time I can post the log, it will probably have been updated?
zbizzy 0 Light Poster
here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:20 PM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {e6bfd404-2727-414f-90af-c9417a8865d0} - C:\WINDOWS\system32\lekefoji.dll (file missing)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [M-Audio …
zbizzy 0 Light Poster
Alright, your MBA-M is not up to date, can you pls update it, under the update tab to the latest database version.
Then, redo the scan, removing everything it finds and rebooting and then posting the log. Once that is done, run HJT and post both the MBA-M and the HJT log.
Thanks,
Cohen
yes it is...
edit: ok, the program itself when i checked for update said there were none to be downloaded, but i found a db update to put it to version 1498 instead of 1497... regardless, the 1497 version of the database is the one i got from malwarebytes.org yesterday, and I would like to see if this is fixable without having to run the program again for the next 7 to 8 hours (as you can see how long it takes the scan)...
zbizzy 0 Light Poster
that one was the one i let run while I was at work.... here is the previous one from the night before:
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2
12/15/2008 7:45:52 AM
mbam-log-2008-12-15 (07-45-52).txt
Scan type: Full Scan (C:\|)
Objects scanned: 289096
Time elapsed: 6 hour(s), 35 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\huvobogo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gakuyipe.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yisogepogo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4f23fbd2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gakuyipe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gakuyipe.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\huvobogo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ogobovuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gakuyipe.dll (Trojan.Vundo.H) -> Delete on reboot.
…
zbizzy 0 Light Poster
sorry, i meant to paste it in last time and forgot to... here it is....
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2
12/15/2008 5:49:51 PM
mbam-log-2008-12-15 (17-49-51).txt
Scan type: Full Scan (C:\|)
Objects scanned: 289396
Time elapsed: 7 hour(s), 36 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\vimekege.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6bfd404-2727-414f-90af-c9417a8865d0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6bfd404-2727-414f-90af-c9417a8865d0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4f23fbd2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yisogepogo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c10c84e (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vimekege.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vimekege.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\vimekege.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\besehevi.dll (Trojan.Agent) -> …
zbizzy 0 Light Poster
ok, so mbam run on my system like 15 times, mcaffee, etc all find vundo, remove it, and it comes right back... dunno what to do except wipe my entire hard drive, which i do not want to do right now
someone please help! how do i get rid of this virus????
zbizzy 0 Light Poster
after reading other threads here, im now running Malwarebytes' Anti-Malware... did a quick scan first, found vundo, didnt fix it yet, started full scan to see what else is, if anything is going on... will post results here of hijack and mbam after just in case so anyone can tell me if i missed somehting :)
zbizzy 0 Light Poster
I cant load safe mode either, it keeps crasing in safe mode as well, here is my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:54 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} …