2 Bronze

Possible Malware Infection ?

I am re-posting this at the suggestion of admin.

 

My yahoo contacts apparently were hacked into over the weekend.  I'm trying to make sure my comp. is clean.  Please review this and let me know if you notice anything suspicious.  Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:00:06 PM, on 6/22/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\mgabg.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\stickies.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Users\Dan\Programs\HeyJoe\HeyJoe.exe
C:\Program Files\Second Copy 97\sc97.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Users\Dan\Programs\Ditto\Ditto.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Users\Dan\Programs\KeePass\KeePass.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\MailWasher\MailWasher.exe
P:\PMAIL\Programs\winpm-32.exe
C:\Users\Dan\Programs\2xExplorer\2xExplorer.exe
C:\Users\Dan\Programs\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com/?pc=AVBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=AVBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:81
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [stickies] C:\WINNT\stickies.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HelpCenter] C:\Program Files\Bellsouth\HelpCenter\bin\sprtcmd.exe /P HelpCenter
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Hey, Joe!] C:\Users\Dan\Programs\HeyJoe\HeyJoe.exe
O4 - HKCU\..\Run: [Second Copy 97] C:\Program Files\Second Copy 97\sc97.exe /InitialWait=5
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [Mail Box Dispatcher] C:\Program Files\Mail Box Dispatcher 2\mboxd2.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [Ditto] C:\Users\Dan\Programs\Ditto\Ditto.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Download using Download &Express - C:\Documents and Settings\A-Z\Desktop\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: pdaConverter - C:\Program Files\pdaConverter 1.3\convert_url.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O15 - Trusted Zone: admin.1and1.com
O15 - Trusted Zone: http://cafemail.aeccafe.com
O15 - Trusted Zone: http://www.aecvizpro.biz
O15 - Trusted Zone: http://*.aecvizpro.biz
O15 - Trusted Zone: *.aecvizpro.com
O15 - Trusted Zone: http://www.amazon.com
O15 - Trusted Zone: http://www.amsouth.com
O15 - Trusted Zone: *.amsouth.com
O15 - Trusted Zone: http://www.atmosenergy.com
O15 - Trusted Zone: *.atmosenergy.com
O15 - Trusted Zone: http://webmail.att.net
O15 - Trusted Zone: *.bellsouth.com
O15 - Trusted Zone: *.capitolone.com
O15 - Trusted Zone: resources.cardmemberservices.com
O15 - Trusted Zone: *.cardmemberservices.com
O15 - Trusted Zone: resources.chase.com
O15 - Trusted Zone: *.comast.com
O15 - Trusted Zone: http://www.comcast.com
O15 - Trusted Zone: http://www.corel.com
O15 - Trusted Zone: http://www.cudrc.com
O15 - Trusted Zone: *.discovercard.com
O15 - Trusted Zone: customersupport.dishnetwork.com
O15 - Trusted Zone: http://www.dishnetwork.com
O15 - Trusted Zone: http://www.dougurquhartmusic.com
O15 - Trusted Zone: http://www.e-thepeople.org
O15 - Trusted Zone: *.ebay.com
O15 - Trusted Zone: *.equifax.com
O15 - Trusted Zone: http://www.francey.org
O15 - Trusted Zone: service.geico.com
O15 - Trusted Zone: http://www.geico.com
O15 - Trusted Zone: ssl1.gmti.com
O15 - Trusted Zone: *.guru.com
O15 - Trusted Zone: http://www.hotbuy4u.com
O15 - Trusted Zone: http://www.kall8.com
O15 - Trusted Zone: http://www.linkedin.com
O15 - Trusted Zone: http://www.linkshare.com
O15 - Trusted Zone: *.mail.com
O15 - Trusted Zone: *.mtemc.com
O15 - Trusted Zone: *.mycheckfree.com
O15 - Trusted Zone: http://www.mydomain.com
O15 - Trusted Zone: onnet.ohionational.com
O15 - Trusted Zone: www.paypal.com
O15 - Trusted Zone: securebank.regions.com
O15 - Trusted Zone: http://www.regions.com
O15 - Trusted Zone: *.secure.registerapi.com
O15 - Trusted Zone: *.samsclub.com
O15 - Trusted Zone: http://www.sourceforge.net
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: www.spiritofamericacard.com
O15 - Trusted Zone: *.suntrust.com
O15 - Trusted Zone: my.t-mobile.com
O15 - Trusted Zone: http://www.t-mobile.com
O15 - Trusted Zone: www.*.t-mobile.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.usbank.com
O15 - Trusted Zone: http://www.webmd.com
O15 - Trusted Zone: http://www.wochurch.org
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

--
End of file - 9406 bytes

 

============================

This is the HJT log from a second computer, if you would look at it also.

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:13 PM, on 6/22/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\users\Cathy\ProgramFiles\HeyJoe\HeyJoe.exe
C:\Program Files\Second Copy 97\sc97.exe
C:\users\Dan\ProgramFiles\Ditto\Ditto.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\svchost.exe
C:\users\Dan\ProgramFiles\2xExplorer\2xExplorer.exe
C:\users\Dan\ProgramFiles\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [Hey, Joe!] C:\users\Cathy\ProgramFiles\HeyJoe\HeyJoe.exe
O4 - HKCU\..\Run: [Second Copy 97] C:\Program Files\Second Copy 97\sc97.exe /InitialWait=5
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [Ditto] C:\users\Dan\ProgramFiles\Ditto\Ditto.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184049104031
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8E02B57-81A8-4CF0-A3F5-776EBC0CAB15}: NameServer = 4.2.2.2,4.2.2.3
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5687 bytes

0 Kudos
4 Replies
4 Germanium

Re: Possible Malware Infection ?

Hi acevizpro,

Sorry for the delay in getting to you, its been mayhem around here the last few weeks.

Welcome to Dell Community Malware Removal Forums,

Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

The most important thing of you I will ask is that you let me know if you are not going to able to replying with in three (3) days. The reason I ask this, is that the spare time us volunteers give up is in short supply and could be used to help others or to do real life things. Failure to reply within three(3) days will result in this thread being closed and I will stop checking it for replies. If you are going to be unable to reply, that's fine, but please let me know.


1) Please download HostsXpert from here:
http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=

Create a new folder C:\Program Files\HostsXpert and unzip your download into that folder.

Run HostsXpert. Click "Make Writable?" if that is the first item at the top of the left hand side. If not, do not click on that button.

Click on "Download" and then "MVPs Hosts", and choose "Merge File".

When the download completes and the file is merged, click "File Handling", and then "Make ReadOnly?". Then exit HostsXpert.

 

2) Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

 

3) I need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.
    DDS.jpg
  • Instead of attaching, please copy/past both logs into your next reply.

     

     

  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control here

 

4) YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

 

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply.
  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.


.
If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.

 

Please COPY/PASTE the MBAM log, BOTH DDS logs and the ARK log back to this thread,
Thanks
K27

Malware Removal Staff at SpywareHammer

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil

0 Kudos
2 Bronze

Re: Possible Malware Infection ?

Thanks for your reply.  Looks like you have a good set of steps that you use to resolve issues.  Unfortunately, I have already run MBAM and fixed one item.  Should I keep a copy of the above post for future problems, if any ?

0 Kudos
4 Germanium

Re: Possible Malware Infection ?

Hi,

Please post the log from when MBAM removed the one item.

I would also like you to update and run MBAM again when you get to that step as sometimes it takes a few runs for MBAM to remove things.

Also your host file in infected and as such needs resetting, that is taken care of with step one of my instructions.

As for the other logs I have requested, them tools do no cleaning what so ever, all they do is tell me what is going on with the system, most if not all of the data in them will be legitimate and should not be acted upon by someone untrained in there use. Once we are finished cleaning the system we will remove the tools we use as one wrong move with them could render the machine an expensive paperweight.

Please post back the MBAM log from  when you run the tool on your own(can be found in the logs tab), the fresh MBAM log after you have updated it (can be done via the updates tab), both DDS logs and the ARK log.

Thanks,
K27.

Malware Removal Staff at SpywareHammer

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil

0 Kudos
4 Germanium

Re: Possible Malware Infection ?

This topic is now marked as Inactive.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the DCFnewpost.png button.

Thanks,
K27.

Malware Removal Staff at SpywareHammer

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil

0 Kudos