Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

View previous topic View next topic Go down

Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Wed Sep 02, 2009 12:48 am

Hello...
My PC is having multiple problems. I ran Malwarebytes a month ago to remove malware, and, it worked great!! So, I tried it again, but, the app did not launch. I tried redownloading the app, but, the install does not finish successfully. It just hangs. My computer also does not seem to launch any setup.exes. Finally, when we search on Google, the links display direct us to incorrect advertising sites. Any help would be greatly appreciated.

Here are the results of my HiJack This scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:08 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Lon\Desktop\HJTInstall.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Lon\Local Settings\Temporary Internet Files\Content.IE5\89PFT7AQ\winlogon[1].exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing)
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1303.0\msneshellx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Windows Live Family Safety (fsssvc) - Unknown owner - C:\Program Files\Windows Live\Family Safety\fsssvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 7992 bytes

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by Belahzur on Wed Sep 02, 2009 1:03 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Wed Sep 02, 2009 1:48 am

The results are too large for the post. Should I break them down into multiple replies?

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Wed Sep 02, 2009 1:49 am

Here is the first part of the results. There are alot more in the kernel code sections.

GMER 1.0.15.15077 [0wbzrvdz[1].exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-01 20:31:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAD15F4EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAD15F581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAD15F498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAD15F4AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAD15F595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAD15F5C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAD15F634]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAD15F619]
Code 89B0A8C8 ZwFlushInstructionCache
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAD15F52A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAD15F65E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAD15F56D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAD15F470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAD15F484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAD15F4FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAD15F69A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAD15F603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAD15F5ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAD15F5AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAD15F686]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAD15F672]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAD15F4D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAD15F4C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAD15F5D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAD15F559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAD15F648]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAD15F540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAD15F514]
Code 89B3236E IofCallDriver
Code 89BB12F6 IofCompleteRequest
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Wed Sep 02, 2009 1:58 am

First part of the kernel section:
---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 89B32373
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 89BB12FB
.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP AD15F518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP AD15F571 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP AD15F5F1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP AD15F4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP AD15F4C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP AD15F585 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP AD15F69E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP AD15F638 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP AD15F474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP AD15F502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP AD15F5DB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP AD15F544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP AD15F52E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 89B0A8CC
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP AD15F4B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP AD15F55D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP AD15F488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP AD15F662 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP AD15F61D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP AD15F5C5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP AD15F599 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP AD15F49C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD17 5 Bytes JMP AD15F4DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064D9DA 7 Bytes JMP AD15F64C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E300 7 Bytes JMP AD15F607 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E77C 7 Bytes JMP AD15F5AF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EC71 5 Bytes JMP AD15F676 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F0DC 5 Bytes JMP AD15F68A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0027000A
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270F7F
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F90
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0027006A
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270FA1
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270043
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F3F
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00270F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002700A2
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270F13
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270EF8
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270FBC
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270085
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00270FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F24
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00360FB6
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00360033
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00360FD1
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00360011
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00360F76
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00360000
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00360022
.text C:\Program Files\Internet Explorer\iexplore.exe[516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00360F9B
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[516] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Wed Sep 02, 2009 2:12 am

Here is a section from further down in the results which I think might help you:


AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACoypaxtowuh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [516] 0x00B50000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [900] 0x02A50000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1008] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1100] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1144] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1272] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1384] 0x10000000
Library \\?\globalroot\systemroot\system32\UACoypaxtowuh.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1496] 0x00B50000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1672] 0x10000000
Library \\?\globalroot\systemroot\system32\UACkrwrrviedt.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2272] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACrbfxmeybwe.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by Belahzur on Wed Sep 02, 2009 1:03 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Thu Sep 03, 2009 2:42 am

Here are the results (I'll send multiple posts). ComboFix found rootkit activity. Here are the files it told me to write down:

C:Windows\system32\drivers\UACrbfxmeybwe.sys
C:Windows\system32\UACmrscfxjcxd.dll
C:Windows\system32\UACkrwrrviedt.dll
C:Windows\system32\UACevpptiuwdd.dat
C:Windows\system32\UACoypaxtowuh.dll

ComboFix 09-09-02.02 - Lon 09/02/2009 20:59.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2303.1859 [GMT -5:00]
Running from: c:\documents and settings\Lon\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jocelyn Dopp\Application Data\Hotbar
c:\documents and settings\Jocelyn Dopp\Application Data\WeatherDPA
c:\documents and settings\Jocelyn Dopp\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\documents and settings\Lon Dopp\My Documents\cc_20090613_212444.reg
c:\documents and settings\Lon\My Documents\cc_20090613_212444.reg
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\recycler\S-1-5-21-3706682910-4135405909-1170604119-1007
c:\recycler\S-1-5-21-3706682910-4135405909-1170604119-1008
c:\recycler\S-1-5-21-3706682910-4135405909-1170604119-1009
c:\recycler\S-1-5-21-3706682910-4135405909-1170604119-1010
c:\recycler\S-1-5-21-3706682910-4135405909-1170604119-1011
c:\windows\desktop
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\UACrbfxmeybwe.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\UACevpptiuwdd.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkrwrrviedt.dll
c:\windows\system32\UACmrscfxjcxd.dll
c:\windows\system32\UACoypaxtowuh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-01 23:09 . 2009-09-01 23:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-30 13:02 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 13:02 . 2009-09-01 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 13:02 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 00:29 . 2009-08-31 18:47 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-08-28 00:24 . 2009-08-28 00:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SiteAdvisor
2009-08-28 00:22 . 2009-07-08 18:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-28 00:22 . 2009-07-08 18:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-08-28 00:22 . 2009-07-08 18:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-28 00:22 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-08-28 00:21 . 2009-08-28 00:22 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-28 00:21 . 2009-08-28 00:21 -------- d-----w- c:\program files\McAfee.com
2009-08-28 00:21 . 2009-08-29 15:20 -------- d-----w- c:\program files\McAfee
2009-08-28 00:17 . 2009-07-08 18:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-28 00:11 . 2009-08-28 03:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-08-27 23:42 . 2009-08-27 23:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2009-08-27 23:42 . 2009-08-27 23:42 -------- d-----w- c:\documents and settings\Lon\Application Data\Office Genuine Advantage
2009-08-27 14:38 . 2009-08-29 17:07 -------- d-----w- c:\program files\PersonalAV
2009-08-20 21:35 . 2009-08-23 16:20 294 ----a-w- c:\windows\EReg072.dat
2009-08-20 21:34 . 2009-08-20 21:34 -------- d-----w- c:\program files\EA SPORTS
2009-08-12 22:05 . 2009-08-12 22:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\2F119
2009-08-11 19:44 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-09 01:04 . 2009-08-09 01:04 -------- d--h--r- c:\documents and settings\Joci\Application Data\SecuROM
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Thu Sep 03, 2009 2:43 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 02:07 . 2009-06-14 00:22 -------- d-----w- c:\program files\iWin Games
2009-09-01 23:21 . 2009-07-27 01:05 -------- d-----w- c:\documents and settings\Joci\Application Data\DNA
2009-09-01 23:14 . 2009-06-14 00:24 -------- d-----w- c:\program files\Java
2009-09-01 21:11 . 2009-06-14 00:03 -------- d-----w- c:\program files\DNA
2009-08-31 21:23 . 2009-07-08 23:49 -------- d-----w- c:\documents and settings\Joci\Application Data\gtk-2.0
2009-08-28 10:44 . 2009-06-17 12:50 -------- d-----w- c:\program files\GameSpy Arcade
2009-08-23 17:34 . 2009-06-20 16:21 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ZoomBrowser
2009-08-23 17:34 . 2009-06-20 18:33 -------- d-----w- c:\documents and settings\Lon\Application Data\ZoomBrowser EX
2009-08-12 08:02 . 2009-06-16 11:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 02:11 . 2009-06-14 04:05 89728 ----a-w- c:\documents and settings\Lon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-04 20:34 . 2009-07-06 13:52 89728 ----a-w- c:\documents and settings\Joci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-01 11:26 . 2009-06-15 02:39 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 03:53 . 2009-06-14 00:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-27 03:50 . 2009-07-27 03:50 -------- d-----w- c:\documents and settings\Joci\Application Data\InstallShield
2009-07-25 03:20 . 2009-07-24 22:24 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-25 03:08 . 2009-07-25 03:08 -------- d-----w- c:\documents and settings\Lon\Application Data\Malwarebytes
2009-07-25 03:08 . 2009-07-25 03:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-07-25 01:25 . 2009-06-14 00:30 -------- d-----w- c:\program files\Microsoft Works
2009-07-21 21:55 . 2009-06-14 00:15 -------- d-----w- c:\program files\Gimp-2.0
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 02:12 . 2009-07-14 02:12 -------- d-----w- c:\documents and settings\Joci\Application Data\Juniper Networks
2009-07-09 22:25 . 2009-07-09 22:25 -------- d-----w- c:\documents and settings\Joci\Application Data\AdobeUM
2009-07-09 02:04 . 2009-07-09 02:04 -------- d-----w- c:\documents and settings\Lon\Application Data\Yahoo!
2009-07-08 23:05 . 2009-07-08 23:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2009-07-08 23:03 . 2009-06-14 00:15 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-07-08 23:03 . 2009-07-08 23:03 -------- d-----w- c:\documents and settings\Joci\Application Data\Yahoo!
2009-07-08 18:44 . 2009-07-08 18:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 12:17 . 2009-07-08 12:17 -------- d-----w- c:\documents and settings\Lon\Application Data\AdobeUM
2009-07-06 19:48 . 2009-06-14 00:31 -------- d-----w- c:\program files\Paint.NET
2009-07-06 12:20 . 2009-07-06 12:20 -------- d-----w- c:\documents and settings\Joci\Application Data\Windows Desktop Search
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-19 16:17 . 2009-06-19 16:17 8413 ----a-w- c:\windows\system32\drivers\mcstrm.sys
2009-06-17 16:40 . 2009-06-17 16:40 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-17 16:40 . 2009-06-17 16:40 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-06-17 16:25 . 2009-06-17 16:25 490 ----a-w- c:\windows\eReg.dat
2009-06-17 15:08 . 2009-06-17 15:08 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 04:28 . 2009-06-14 04:28 30 ----a-w- c:\windows\INTURS.DAT
2009-06-14 03:54 . 2009-06-14 03:54 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-06-14 03:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-03-16 21:44 . 2008-03-16 21:44 0 ----a-w- c:\program files\temp01
2008-03-04 22:44 . 2008-03-04 22:45 774144 ----a-w- c:\program files\RngInterstitial.dll
.

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Thu Sep 03, 2009 2:43 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-17 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 149280]

c:\documents and settings\Lon\Start Menu\Programs\Startup\
Registration-Studio 8 SE.lnk - c:\program files\Pinnacle\Studio 8\Register\RegTool.exe [2005-5-29 245760]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-6-22 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [6/14/2009 9:39 PM 55152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/27/2009 7:24 PM 210216]
S3 fsssvc;Windows Live Family Safety;"c:\program files\Windows Live\Family Safety\fsssvc.exe" --> c:\program files\Windows Live\Family Safety\fsssvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-28 02:26]

2009-08-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-28 02:26]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-02 21:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Thu Sep 03, 2009 2:43 am

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SYSTEM32\searchindexer.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcupdmgr.exe
c:\program files\Common Files\McAfee\HackerWatch\hwupdchk.exe
.
**************************************************************************
.
Completion time: 2009-09-03 21:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 02:19

Pre-Run: 226,344,452,096 bytes free
Post-Run: 231,022,313,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

251 --- E O F --- 2009-08-26 11:32

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by Belahzur on Thu Sep 03, 2009 3:15 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by lnjdopp on Fri Sep 04, 2009 1:43 am

The machine seems to be fixed. I can run Malwarebytes, run setup.exe files, and, IE is working normally again. When I ran Malwarebytes, it removed RoguePersonalAntiVirus. Is this what caused all the issues?

THANK YOU!!!!

lnjdopp
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-25
OS OS : XP
Points Points : 26916
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malwarebytes doesnt work,setup.exes won't run,google searches point to ad site

Post by Belahzur on Fri Sep 04, 2009 3:34 pm

The rootkit was the main problem, the personalAV is what you can see and keeps you busy while the rootkit does it's work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum