Virus I think? Need more help - Free Antivirus Forum

Free Antivirus Forum - Learn about antivirus, firewalls and personal security

Virus I think? Need more help

BullGuard Antivirus Forum > Virus information > Alerts & New Threats > Virus I think? Need more help

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/4/2009 4:58 PM (GMT +3)

Hello Touch.

I went a head and reinstalled McAfee for virus protection anyways because I like the shredder feature it has. So I'm surfing and my computer starts acting funny so I run a scan with Malwarebytes. 10 objects infected and my computer needs to be rebooted to remove 4 of the infected objects. Funny thing is is that malwarebytes doesn't restart my computer like it usually does after I click "yes". So, I restart it manually and run another scan and the same 4 objects come up. I do it again and nothing different. Anyways, I figure it might have had something to do with McAfee so I try to uninstall McAfee from the control panel but it was acting really strange like the option boxes contained no text therefore I didn't know if I was clicking Yes, No, Continue etc. etc. and the text that was in the bigger boxes looked to be some kind of coding or possibly a different language. So I deleted as much of Mcafee off my computer as I could manually using the malwarebytes -delete locked files funtion - and still nothing. Also, Windows is telling me that I have virus scan still installed and so is combofix. Any suggestions on how to get the rest of Mcafee off would be great as well. So aside from the Mcafee issue there is the four infected files that malwarbytes seemingly cannot remove and the fact that malwarebytes doesn't automatically restart my computer during the disinfection process. Any help will be appreciated. Thanks. I downloaded the fix program and here are the logs.

Malwarebytes' Anti-Malware 1.33
Database version: 1725
Windows 5.1.2600 Service Pack 3

2/4/2009 7:52:09 AM
mbam-log-2009-02-04 (07-52-09).txt

Scan type: Quick Scan
Objects scanned: 53256
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:23 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\nick\Desktop\FIX\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {5EDDBE1C-7276-4A89-969F-16B860E00386} - C:\WINDOWS\system32\ci.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8AFF926F-67BF-4B89-A2D1-6C1D523E5BC2} - C:\WINDOWS\system32\ci.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - Unknown owner - C:\WINDOWS\system32\bgsvcgen.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5024 bytes

ComboFix 09-02-03.01 - nick 2009-02-04 8:01:10.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.675 [GMT -6:00]
Running from: c:\documents and settings\nick\Desktop\FIX\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\nick\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 06:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 06:20 . 2009-02-04 06:28 <DIR> d--hs---- C:\RECYCLER(3)
2009-02-03 21:47 . 2009-02-03 21:53 4,541 --a------ c:\windows\system32\Config.MPF
2009-02-03 21:46 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-02-02 22:07 . 2008-04-13 18:11 96,256 --a------ c:\windows\system32\ci.dll
2009-01-29 19:49 . 2009-01-31 08:14 <DIR> d-------- c:\program files\CCleaner
2009-01-27 08:01 . 2009-01-28 05:53 28,672 --a------ c:\windows\system32\applaunch.exe
2009-01-25 22:36 . 2009-01-25 22:36 <DIR> d-------- c:\program files\Trend Micro
2009-01-22 17:01 . 2009-01-31 08:12 <DIR> d-------- c:\program files\AVS4YOU
2009-01-22 16:28 . 2009-01-22 17:01 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-01-22 16:28 . 2009-01-31 08:03 <DIR> d-------- c:\documents and settings\nick\Application Data\AVS4YOU
2009-01-22 16:28 . 2009-01-22 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-22 16:27 . 2008-08-13 10:22 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2009-01-22 16:27 . 2008-08-13 10:22 974,848 --a------ c:\windows\system32\mfc70.dll
2009-01-22 16:27 . 2008-08-13 10:22 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-01-22 16:27 . 2008-08-13 10:22 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-01-22 16:27 . 2008-08-13 10:22 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-16 23:43 . 2009-01-16 23:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 22:50 . 2009-01-12 22:51 <DIR> d-------- c:\program files\Thrixxx
2009-01-11 06:50 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-01-09 15:31 . 2009-01-31 08:19 <DIR> d-------- c:\program files\Eraser
2009-01-09 15:31 . 2009-01-31 08:02 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-01-06 04:01 . 2009-01-06 04:14 <DIR> d-------- c:\program files\Jetico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 15:37 151,552 ----a-w c:\windows\system32\rdchost.dll
2009-01-31 14:28 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-31 14:28 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-31 14:28 --------- d-----w c:\program files\Virtual Hottie 2
2009-01-31 14:27 --------- d-----w c:\program files\ScottradeELITE
2009-01-31 14:27 --------- d-----w c:\program files\Real Alternative
2009-01-31 14:24 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-31 14:24 --------- d-----w c:\program files\MasterSplitter
2009-01-31 14:24 --------- d-----w c:\program files\KGB Archiver 2
2009-01-31 14:24 --------- d-----w c:\program files\K-Lite Codec Pack
2009-01-31 14:21 --------- d-----w c:\program files\HP
2009-01-31 14:21 --------- d-----w c:\program files\GemMaster
2009-01-31 14:21 --------- d-----w c:\program files\Full Tilt Poker
2009-01-31 14:19 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-31 14:19 --------- d-----w c:\program files\DivX
2009-01-31 14:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 14:18 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-31 14:14 --------- d-----w c:\program files\Bodog Poker
2009-01-31 14:12 --------- d-----w c:\program files\BitPim
2009-01-31 14:12 --------- d-----w c:\program files\AoA Audio Extractor
2009-01-31 14:11 --------- d-----w c:\program files\7-Zip
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\vlc
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\MSNInstaller
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\Media Player Classic
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\dvdcss
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\CyberLink
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\ChessBase
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\AdobeUM
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\NtiDvdCopy
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 05:43 --------- d-----w c:\program files\Java
2009-01-04 00:03 --------- d-----w c:\documents and settings\nick\Application Data\Twain
2008-12-29 23:54 --------- d-----w c:\program files\Common Files\ChessBase
2008-12-29 23:54 --------- d-----w c:\program files\ChessBase
2008-12-29 23:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 02:02 --------- d-----w c:\program files\Panasonic
2008-12-27 02:01 --------- d-----w c:\documents and settings\nick\Application Data\InstallShield
2008-12-26 23:54 --------- d-----w c:\documents and settings\nick\Application Data\Panasonic
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-08-07 23:47 88 --sha-r c:\windows\system32\5283EB2E49.sys
2007-08-07 23:53 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_ 3.07.18.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-06-16 03:34:42 1,150,676 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-04 12:29:08 533,812 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-04 13:26:53 16,384 ----atw c:\windows\temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDDBE1C-7276-4A89-969F-16B860E00386}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AFF926F-67BF-4B89-A2D1-6C1D523E5BC2}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2007-05-02 504824]
"SkyTel"="SkyTel.EXE" [2006-08-09 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 gbxejfwf;gbxejfwf;c:\windows\system32\drivers\gbxejfwf.sys [2004-08-10 23424]
S3 sanyomdm;SANYO Composite USB Driver;c:\windows\system32\drivers\sanyomdm.sys [2008-05-20 65024]
S3 sanyoser;SANYO Serial Port Driver;c:\windows\system32\drivers\sanyoser.sys [2008-05-20 65024]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2007-01-25 91496]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABF6FCC4-B500-F359-F72A-AC5084B1A3BB}]
c:\windows\system32\scvhost

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C63F5294-C278-41E7-5373-8EB0CD0A929C}]
c:\windows\system32\applaunch.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []

2009-02-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 08:02:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-04 8:03:41
ComboFix-quarantined-files.txt 2009-02-04 14:03:38
ComboFix2.txt 2009-02-04 08:55:02
ComboFix3.txt 2009-02-04 03:36:00

Pre-Run: 43,328,999,424 bytes free
Post-Run: 43,325,820,928 bytes free

163 --- E O F --- 2009-01-26 07:38:41

Post Edited (NSW1313) : 05-02-2009 07:10:25 GMT

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 10:30 AM (GMT +3)

So aside from the Mcafee issue there is the four infected files that malwarbytes seemingly cannot remove and the fact that malwarebytes doesn't automatically restart my computer during the disinfection process. Can I manually delete these registry items or will this harm the computer? Any help will be appreciated. Thanks.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/5/2009 10:48 AM (GMT +3)

Hello again smilewinkgrin

If I got things right, then you will uninstall Mcafee ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 11:12 AM (GMT +3)

No, I tried to uninstall Mcafee because I thought it was for some reason causing malwarebytes to work improperly. I went to uninstall Mcafee and Mcafee was working improperly and wouldn't uninstall so I deleted as much of Mcafee off my computer as I could manually.

Malwarebytes is still seemingly working improperly. The 4 infected files in the log file in the previous post are still on my computer because MW won't restart my computer to remove them. I'm all ears.

Too answer your question, Yes I will uninstall mcafee if I can figure out how without the uninstaller because windows and combofix is still telling me I have antivirus protection even after I have deleted all Mcafee files off my computer.

I was thinking that if I can get these four infected files off my computer with your help I will do a full download and install of mcafee just to do a proper uninstall.

Post Edited (NSW1313) : 05-02-2009 08:16:40 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/5/2009 11:23 AM (GMT +3)

Post a combolog -

Please download Combofix:

Http://download.bleepingcomputer.com/subs/combofix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Post the contents of that log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 11:32 AM (GMT +3)

Here is the log. Combofix did not restart the computer either. Coincidence? Strange. CF or MW won't restart my computer.

ComboFix 09-02-04.01 - nick 2009-02-05 2:27:28.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.569 [GMT -6:00]
Running from: c:\documents and settings\nick\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\nick\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 06:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 06:20 . 2009-02-04 06:28 <DIR> d--hs---- C:\RECYCLER(3)
2009-02-03 21:47 . 2009-02-03 21:53 4,541 --a------ c:\windows\system32\Config.MPF
2009-02-03 21:46 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-02-02 22:07 . 2008-04-13 18:11 96,256 --a------ c:\windows\system32\ci.dll
2009-01-29 19:49 . 2009-01-31 08:14 <DIR> d-------- c:\program files\CCleaner
2009-01-27 08:01 . 2009-01-28 05:53 28,672 --a------ c:\windows\system32\applaunch.exe
2009-01-25 22:36 . 2009-01-25 22:36 <DIR> d-------- c:\program files\Trend Micro
2009-01-22 17:01 . 2009-01-31 08:12 <DIR> d-------- c:\program files\AVS4YOU
2009-01-22 16:28 . 2009-01-22 17:01 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-01-22 16:28 . 2009-01-31 08:03 <DIR> d-------- c:\documents and settings\nick\Application Data\AVS4YOU
2009-01-22 16:28 . 2009-01-22 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-22 16:27 . 2008-08-13 10:22 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2009-01-22 16:27 . 2008-08-13 10:22 974,848 --a------ c:\windows\system32\mfc70.dll
2009-01-22 16:27 . 2008-08-13 10:22 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-01-22 16:27 . 2008-08-13 10:22 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-01-22 16:27 . 2008-08-13 10:22 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-16 23:43 . 2009-01-16 23:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 22:50 . 2009-01-12 22:51 <DIR> d-------- c:\program files\Thrixxx
2009-01-11 06:50 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-01-09 15:31 . 2009-01-31 08:19 <DIR> d-------- c:\program files\Eraser
2009-01-09 15:31 . 2009-01-31 08:02 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-01-06 04:01 . 2009-01-06 04:14 <DIR> d-------- c:\program files\Jetico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 15:37 151,552 ----a-w c:\windows\system32\rdchost.dll
2009-01-31 14:28 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-31 14:28 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-31 14:28 --------- d-----w c:\program files\Virtual Hottie 2
2009-01-31 14:27 --------- d-----w c:\program files\ScottradeELITE
2009-01-31 14:27 --------- d-----w c:\program files\Real Alternative
2009-01-31 14:24 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-31 14:24 --------- d-----w c:\program files\MasterSplitter
2009-01-31 14:24 --------- d-----w c:\program files\KGB Archiver 2
2009-01-31 14:24 --------- d-----w c:\program files\K-Lite Codec Pack
2009-01-31 14:21 --------- d-----w c:\program files\HP
2009-01-31 14:21 --------- d-----w c:\program files\GemMaster
2009-01-31 14:21 --------- d-----w c:\program files\Full Tilt Poker
2009-01-31 14:19 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-31 14:19 --------- d-----w c:\program files\DivX
2009-01-31 14:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 14:18 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-31 14:14 --------- d-----w c:\program files\Bodog Poker
2009-01-31 14:12 --------- d-----w c:\program files\BitPim
2009-01-31 14:12 --------- d-----w c:\program files\AoA Audio Extractor
2009-01-31 14:11 --------- d-----w c:\program files\7-Zip
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\vlc
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\MSNInstaller
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\Media Player Classic
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\dvdcss
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\CyberLink
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\ChessBase
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\AdobeUM
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\NtiDvdCopy
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 05:43 --------- d-----w c:\program files\Java
2009-01-04 00:03 --------- d-----w c:\documents and settings\nick\Application Data\Twain
2008-12-29 23:54 --------- d-----w c:\program files\Common Files\ChessBase
2008-12-29 23:54 --------- d-----w c:\program files\ChessBase
2008-12-29 23:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 02:02 --------- d-----w c:\program files\Panasonic
2008-12-27 02:01 --------- d-----w c:\documents and settings\nick\Application Data\InstallShield
2008-12-26 23:54 --------- d-----w c:\documents and settings\nick\Application Data\Panasonic
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-08-07 23:47 88 --sha-r c:\windows\system32\5283EB2E49.sys
2007-08-07 23:53 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_ 3.07.18.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-06-16 03:34:42 1,150,676 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-04 12:29:08 533,812 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-05 04:16:22 16,384 ----atw c:\windows\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDDBE1C-7276-4A89-969F-16B860E00386}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AFF926F-67BF-4B89-A2D1-6C1D523E5BC2}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2007-05-02 504824]
"SkyTel"="SkyTel.EXE" [2006-08-09 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 gbxejfwf;gbxejfwf;c:\windows\system32\drivers\gbxejfwf.sys [2004-08-10 23424]
S3 sanyomdm;SANYO Composite USB Driver;c:\windows\system32\drivers\sanyomdm.sys [2008-05-20 65024]
S3 sanyoser;SANYO Serial Port Driver;c:\windows\system32\drivers\sanyoser.sys [2008-05-20 65024]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2007-01-25 91496]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABF6FCC4-B500-F359-F72A-AC5084B1A3BB}]
c:\windows\system32\scvhost

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C63F5294-C278-41E7-5373-8EB0CD0A929C}]
c:\windows\system32\applaunch.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []

2009-02-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 02:28:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-05 2:29:55
ComboFix-quarantined-files.txt 2009-02-05 08:29:53
ComboFix2.txt 2009-02-04 08:55:02
ComboFix3.txt 2009-02-04 03:36:00

Pre-Run: 43,260,399,616 bytes free
Post-Run: 43,245,346,816 bytes free

163 --- E O F --- 2009-01-26 07:38:41

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/5/2009 11:41 AM (GMT +3)

Combofix are only supposed to restart, if it find and fix infections ;-)

Please upload and have this file scanned:

c:\windows\system32\drivers\gbxejfwf.sys

Here

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Post back the results

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 11:51 AM (GMT +3)

Holy crap. That file was scanned proper.
Results for VirusTotal. The other had too many connections I guess.

File gbxejfwf.sys received on 02.05.2009 09:47:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.05 -
AhnLab-V3 5.0.0.2 2009.02.05 -
AntiVir 7.9.0.74 2009.02.05 -
Authentium 5.1.0.4 2009.02.04 -
Avast 4.8.1281.0 2009.02.04 -
AVG 8.0.0.229 2009.02.04 -
BitDefender 7.2 2009.02.05 -
CAT-QuickHeal 10.00 2009.02.05 -
ClamAV 0.94.1 2009.02.05 -
Comodo 964 2009.02.04 -
DrWeb 4.44.0.09170 2009.02.05 -
eSafe 7.0.17.0 2009.02.04 -
eTrust-Vet 31.6.6343 2009.02.05 -
F-Prot 4.4.4.56 2009.02.04 -
F-Secure 8.0.14470.0 2009.02.05 -
Fortinet 3.117.0.0 2009.02.05 -
GData 19 2009.02.05 -
Ikarus T3.1.1.45.0 2009.02.05 -
K7AntiVirus 7.10.618 2009.02.04 -
Kaspersky 7.0.0.125 2009.02.05 -
McAfee 5516 2009.02.04 -
McAfee+Artemis 5516 2009.02.04 -
Microsoft 1.4306 2009.02.05 -
NOD32 3828 2009.02.05 -
Norman 6.00.02 2009.02.04 -
nProtect 2009.1.8.0 2009.02.05 -
Panda 9.5.1.2 2009.02.04 -
PCTools 4.4.2.0 2009.02.05 -
Prevx1 V2 2009.02.05 -
Rising 21.15.20.00 2009.02.04 -
SecureWeb-Gateway 6.7.6 2009.02.05 -
Sophos 4.38.0 2009.02.05 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.02.05 -
TheHacker 6.3.1.5.247 2009.02.05 -
TrendMicro 8.700.0.1004 2009.02.05 -
VBA32 3.12.8.12 2009.02.04 -
ViRobot 2009.2.5.1591 2009.02.05 -
VirusBuster 4.5.11.0 2009.02.04 -
Additional information
File size: 23424 bytes
MD5...: ad51d40c23ae52c123920c9db4ff6cb8
SHA1..: 648077f51f44fb2574d2cc18542f852495ba3c40
SHA256: 280c11366de1aa0b87f672f7b8a38fb68978fa0be91c964b5e0337d1edc6041a
SHA512: ab0c0a120fde491859c3ddda44d9284062ddfb3e79f09f9dd8306b6d9cd9b92d
4182bd6216736f052b7a99d9d76f947cebc8f3d84a2b0ea097067350770321d3
ssdeep: 384:w7smDoWv+WpUSSszSFqwtL0LD9Ioxy7hcqcqzHIokhxdJ2XuWv+Wp:ZmdSVs
zwqw5CD+Uy7CdGJeB2X/
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x66c
timedatestamp.....: 0x3b7d82e5 (Fri Aug 17 20:47:33 2001)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x424 0x480 6.47 8e6222e49e1070b8a4171e4957007b9c
.rdata 0x780 0xad 0x100 2.62 0ace5f365131534c66de4137833221ad
INIT 0x880 0x284 0x300 4.44 13a9d0bea8490140305ffa9291acfd99
.ecfl 0xb80 0x4b00 0x4b00 7.89 dcd425b50af9ac5dd49f237fc5a2b0a0
.rsrc 0x5680 0x3c8 0x400 3.22 e12b798b7c7c48bc204f5da182d6b206
.reloc 0x5a80 0x9a 0x100 2.80 e4e5cbf534b254217ed05c1d1015eea9

( 2 imports )
> ntoskrnl.exe: MmLockPagableDataSection, KeCancelTimer, MmUnlockPagableImageSection, IoStartNextPacket, KeSetTimer, _allmul, IoStartPacket, KeInitializeEvent, KeInitializeTimer, KeInitializeDpc, IoCreateDevice, RtlInitUnicodeString, IoAcquireCancelSpinLock, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, IoReleaseCancelSpinLock, IoDeleteDevice, IofCompleteRequest
> HAL.dll: ExReleaseFastMutex, KfRaiseIrql, KfLowerIrql, HalMakeBeep, ExAcquireFastMutex

( 0 exports )

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 11:58 AM (GMT +3)

Ok. The other one worked. Here are the results

Service load:
0% 100%
File: gbxejfwf.sys
Status:
OK
MD5: ad51d40c23ae52c123920c9db4ff6cb8
Packers detected:
-
Scanner results
Scan taken on 05 Feb 2009 08:55:30 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 1:45 PM (GMT +3)

The "delete on reboot" files in the malwarebytes log in the first post are the files that MW won't delete. For some reason when I hit the "continue" button MW won't reboot and remove the files.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/5/2009 11:57 PM (GMT +3)

Can I delete these files manually without harming the system?

Post Edited (NSW1313) : 05-02-2009 20:57:26 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/10/2009 8:43 AM (GMT +3)

Sorry for late resonse ->

Please download FileLook by jpshortstuff and save to your Desktop.

Double-click FileLook.exe to run it.
Important! If using Windows Vista, be sure to Run As Administrator.
Ensure that BBCode Ouput is checked. Copy and paste everything in the code box below into the empty textfield under FileLook by...

Code:

c:\windows\system32\drivers\gbxejfwf.sys

Click the FileLook button to start the scan.
When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)

Please copy and paste the contents of this log in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/10/2009 12:21 PM (GMT +3)

Hello Touch

Here is the scan. I should tell you that Malwarebytes restarts during any other infection removal process....but doesn't remove those 4 infected registry values for some reason. Like if there is any other infected file...Malwarebytes will restart and remove those other files. Thanks for helping me.

FileLook.exe v2.0 by jpshortstuff
Log created at 03:18 on 10/02/2009
==================================
FileLook - "gbxejfwf.sys"

Filename: gbxejfwf.sys
Path: c:\windows\system32\drivers\
MD5: AD51D40C23AE52C123920C9DB4FF6CB8
Created: 20:00:00 on 10/08/2004
Modified: 20:00:00 on 10/08/2004
Size: 23424 bytes
Attributes: Archive
-------------------------
FileDescription: BEEP Driver
FileVersion: 5.1.2600.0 (XPClient.010817-1148)
ProductVersion: 5.1.2600.0
OriginalFilename: beep.sys
InternalName: beep.sys
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

==============================

=EOF=

Post Edited (NSW1313) : 10-02-2009 10:21:15 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/10/2009 1:36 PM (GMT +3)

Let´s see if combobix can get rid of them ->

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Killall::

Snapshot::

RegLockDeL::

Hosts::

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu]

Save this as:
CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

Then post fresh combofix log.

Also run a malwarebyte scan, and see if it still find them ?

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

NSW1313
Junior Member

Date Joined Jun 2008
Total Posts : 54

Posted 2/10/2009 5:05 PM (GMT +3)

It didn't work.

Here are the logs.

ComboFix 09-02-08.02 - nick 2009-02-10 7:50:19.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.603 [GMT -6:00]
Running from: c:\documents and settings\nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\nick\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-08 18:48 . 2009-02-08 18:48 <DIR> d-------- C:\rsit
2009-02-08 17:06 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-02-08 17:04 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-02-08 17:04 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-02-08 17:04 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-02-08 17:04 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-02-08 17:04 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-02-08 17:03 . 2009-02-08 17:04 <DIR> d-------- c:\program files\McAfee.com
2009-02-08 17:03 . 2009-02-08 17:46 <DIR> d-------- c:\program files\McAfee
2009-02-08 17:03 . 2009-02-08 17:04 <DIR> d-------- c:\program files\Common Files\McAfee
2009-02-08 16:56 . 2009-02-08 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-04 06:36 . 2009-02-06 16:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\nick\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-02-04 06:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 06:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 06:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-04 06:20 . 2009-02-04 06:28 <DIR> d--hs---- C:\RECYCLER(3)
2009-02-03 21:47 . 2009-02-10 07:53 8,039 --a------ c:\windows\system32\Config.MPF
2009-02-03 21:46 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-02-02 22:07 . 2008-04-13 18:11 96,256 --a------ c:\windows\system32\ci.dll
2009-01-29 19:49 . 2009-01-31 08:14 <DIR> d-------- c:\program files\CCleaner
2009-01-27 08:01 . 2009-01-28 05:53 28,672 --a------ c:\windows\system32\applaunch.exe
2009-01-25 22:36 . 2009-02-08 18:48 <DIR> d-------- c:\program files\Trend Micro
2009-01-22 17:01 . 2009-01-31 08:12 <DIR> d-------- c:\program files\AVS4YOU
2009-01-22 16:28 . 2009-01-22 17:01 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-01-22 16:28 . 2009-01-31 08:03 <DIR> d-------- c:\documents and settings\nick\Application Data\AVS4YOU
2009-01-22 16:28 . 2009-01-22 16:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-01-22 16:27 . 2008-08-13 10:22 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2009-01-22 16:27 . 2008-08-13 10:22 974,848 --a------ c:\windows\system32\mfc70.dll
2009-01-22 16:27 . 2008-08-13 10:22 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-01-22 16:27 . 2008-08-13 10:22 344,064 --a------ c:\windows\system32\msvcr70.dll
2009-01-22 16:27 . 2008-08-13 10:22 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-16 23:43 . 2009-01-16 23:43 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-12 22:50 . 2009-01-12 22:51 <DIR> d-------- c:\program files\Thrixxx
2009-01-11 06:50 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 05:56 --------- d-----w c:\program files\Bodog Poker
2009-02-07 09:48 --------- d-----w c:\program files\Full Tilt Poker
2009-01-31 14:28 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-31 14:28 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-31 14:28 --------- d-----w c:\program files\Virtual Hottie 2
2009-01-31 14:27 --------- d-----w c:\program files\ScottradeELITE
2009-01-31 14:27 --------- d-----w c:\program files\Real Alternative
2009-01-31 14:24 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-31 14:24 --------- d-----w c:\program files\MasterSplitter
2009-01-31 14:24 --------- d-----w c:\program files\KGB Archiver 2
2009-01-31 14:24 --------- d-----w c:\program files\K-Lite Codec Pack
2009-01-31 14:21 --------- d-----w c:\program files\HP
2009-01-31 14:21 --------- d-----w c:\program files\GemMaster
2009-01-31 14:19 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2009-01-31 14:19 --------- d-----w c:\program files\Eraser
2009-01-31 14:19 --------- d-----w c:\program files\DivX
2009-01-31 14:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-31 14:18 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-31 14:12 --------- d-----w c:\program files\BitPim
2009-01-31 14:12 --------- d-----w c:\program files\AoA Audio Extractor
2009-01-31 14:11 --------- d-----w c:\program files\7-Zip
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\vlc
2009-01-31 14:04 --------- d-----w c:\documents and settings\nick\Application Data\MSNInstaller
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\Media Player Classic
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\dvdcss
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\CyberLink
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\ChessBase
2009-01-31 14:03 --------- d-----w c:\documents and settings\nick\Application Data\AdobeUM
2009-01-31 14:02 --------- d--h--w c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\NtiDvdCopy
2009-01-31 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 05:43 --------- d-----w c:\program files\Java
2009-01-06 10:14 --------- d-----w c:\program files\Jetico
2009-01-04 00:03 --------- d-----w c:\documents and settings\nick\Application Data\Twain
2008-12-29 23:54 --------- d-----w c:\program files\Common Files\ChessBase
2008-12-29 23:54 --------- d-----w c:\program files\ChessBase
2008-12-29 23:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 02:02 --------- d-----w c:\program files\Panasonic
2008-12-27 02:01 --------- d-----w c:\documents and settings\nick\Application Data\InstallShield
2008-12-26 23:54 --------- d-----w c:\documents and settings\nick\Application Data\Panasonic
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-08-07 23:47 88 --sha-r c:\windows\system32\5283EB2E49.sys
2007-08-07 23:53 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDDBE1C-7276-4A89-969F-16B860E00386}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AFF926F-67BF-4B89-A2D1-6C1D523E5BC2}]
2008-04-13 18:11 96256 --a------ c:\windows\system32\ci.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2007-05-02 504824]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SkyTel"="SkyTel.EXE" [2006-08-09 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RTHDCPL"=RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeeantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 gbxejfwf;gbxejfwf;c:\windows\system32\drivers\gbxejfwf.sys [2004-08-10 23424]
S3 sanyomdm;SANYO Composite USB Driver;c:\windows\system32\drivers\sanyomdm.sys [2008-05-20 65024]
S3 sanyoser;SANYO Serial Port Driver;c:\windows\system32\drivers\sanyoser.sys [2008-05-20 65024]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2007-01-25 91496]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{ABF6FCC4-B500-F359-F72A-AC5084B1A3BB}]
c:\windows\system32\scvhost

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C63F5294-C278-41E7-5373-8EB0CD0A929C}]
c:\windows\system32\applaunch.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-02-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
Trusted Zone: internet
FF - ProfilePath - c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
FF - plugin: c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\lu3lan1m.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 07:53:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-02-10 7:55:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 13:55:32
ComboFix2.txt 2009-02-06 22:46:36
ComboFix3.txt 2009-02-05 08:29:56
ComboFix4.txt 2009-02-04 08:55:02
ComboFix5.txt 2009-02-10 13:32:04

Pre-Run: 41,456,320,512 bytes free
Post-Run: 41,443,323,904 bytes free

192 --- E O F --- 2009-01-26 07:38:41

Malwarebytes' Anti-Malware 1.33
Database version: 1743
Windows 5.1.2600 Service Pack 3

2/10/2009 7:59:11 AM
mbam-log-2009-02-10 (07-59-11).txt

Scan type: Quick Scan
Objects scanned: 54280
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 12862

Posted 2/13/2009 10:12 AM (GMT +3)

Sorry for delay, have search for info about the mbam "problem"

Please download SUPERAntiSpyware Home Edition (free) (SAS)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

Reboot normally.

After reboot, double-click the SUPERAntispyware icon on your desktop.
Click Preferences . Click the Statistics/Logs tab .
Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything , then right-click and choose copy.
Click close and close again to exit the program.

Post Superantispyware log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

A non-profit, volunteer network.

Forum Information

Currently it is Saturday, May 25, 2013 4:58 AM (GMT +3)
There are a total of 59,537 posts in 13,142 threads.
In the last 3 days there were 3 new threads and 16 reply posts. View Active Threads