PDA

View Full Version : MBAM won't work, no internet, help!



kubi1169
2011-08-20, 05:15
Hi,

I am running Windows XP Home Edition SP3 on a Compaq Mini netbook and recently got infected with a trojan or a virus. I've been trying to clean it for a while with no luck. It uased to asked me to buy a fake antivirus software, but it doesn't do it anymore. It may be the MSBlaster trojan.

When I try to open it in safe mode, it closes all the antivirus programs including hijackthis and antimalwarebytes.

I tried renaming malwarebytes and run it but did not work. It stats scanning and closes after 5 seconds.

Even in safe mode, there is a suspicious program in task manager named 472196741:2061097699.exe which I can not kill using task manager.

None of the network connections (including internet) do not work on the computer but I have another laptop to transfer files through a USB.

Please help!

Thanks

DDS LOG:

.
DDS (Ver_2011-06-23.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by User at 16:37:59 on 2011-08-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.760 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\472196741:2061097699.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:59274
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [JumiController]
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to iPod Converter - c:\documents and settings\user\application data\dvdvideosoftiehelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\user\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.pace.edu/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262503642573
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BB7A0A78-2C09-4565-8A76-8C51413EC280} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\jcbeq976.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd73bf1&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59274
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: FiddlerHook: http://forums.spybot.info/misc.php?do=email_dev&email=ZmlkZGxlcmhvb2tAZmlkZGxlcjIuY29t - c:\program files\fiddler2\FiddlerHook
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
FF - Ext: Ask Toolbar: http://forums.spybot.info/misc.php?do=email_dev&email=dG9vbGJhckBhc2suY29t - %profile%\extensions\toolbar@ask.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-20 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-8-14 217032]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-12-20 101720]
R3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2010-6-3 13112]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 248656]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2011-8-14 112592]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2151640]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-8-14 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-8-14 1142224]
S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-2-1 206120]
S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-2-1 185640]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-24 113664]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-31 39424]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-14 39984]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-3-8 18432]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-24 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-08-19 19:40:35 72192 ----a-w- c:\windows\system32\tasklist.exe
2011-08-19 19:11:00 -------- d-----w- c:\program files\PragmaDigm
2011-08-19 19:04:45 187184 ----a-w- c:\windows\system32\pssuspend.exe
2011-08-19 18:51:34 621944 ----a-w- c:\windows\system32\pskill.exe
2011-08-14 19:59:31 -------- d-----w- c:\documents and settings\user\local settings\application data\PCHealth
2011-08-14 19:58:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-14 16:43:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 16:42:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 16:31:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-14 16:01:37 45328 --sha-w- c:\windows\system32\c_91652.nl_
2011-08-14 15:54:37 767952 ----a-w- c:\windows\BDTSupport.dll
2011-08-14 15:54:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-08-14 15:54:35 165840 ----a-w- c:\windows\PCTBDRes.dll
2011-08-14 15:54:35 1652688 ----a-w- c:\windows\PCTBDCore.dll
2011-08-14 15:52:12 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-08-14 15:52:07 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-08-14 15:52:07 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-08-14 15:52:02 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-08-14 15:51:49 -------- d-----w- c:\program files\Spyware Doctor
2011-08-14 15:51:49 -------- d-----w- c:\program files\common files\PC Tools
2011-08-14 15:51:49 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-08-14 15:17:42 862720 ----a-w- c:\documents and settings\all users\application data\E398.tmp
2011-08-04 20:59:05 -------- d-----w- c:\documents and settings\user\.frostwire5
2011-08-04 20:27:20 -------- d-----w- c:\documents and settings\user\local settings\application data\AskToolbar
2011-08-04 20:27:07 -------- d-----w- c:\program files\Ask.com
2011-08-04 20:25:30 -------- d-----w- c:\program files\FrostWire 5
2011-07-22 01:16:47 -------- d-----w- c:\program files\iPod
2011-07-22 01:16:44 -------- d-----w- c:\program files\iTunes
2011-07-22 01:15:16 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-07-22 01:15:15 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-07-21 02:59:42 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-07-21 03:31:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-05-28 18:59:16 103720 ----a-w- c:\documents and settings\user\GoToAssistDownloadHelper.exe
.
============= FINISH: 16:39:05.35 ===============
Edit

"Hello kubi1169,

http://www.bleepingcomputer.com/forums/topic415205.html

Have you posted anywhere else or let BC know you have requested assistance here?

Once you respond I will remove my post."
---------------------------------------------------
Yes, I requested assistance at BC as well to accelerate the process. So far I wasnt able to get a resolution. Please let me know if I am only able to get help through one site.
----------------------------------------------------
Ok. I posted a thread on BC to close the thread there and move on here.

http://www.bleepingcomputer.com/forums/topic415228.html/page__gopid__2378884

Thanks in advance for your help.

kubi1169
2011-08-21, 19:31
Anyone who can help??

tashi
2011-08-21, 21:05
Hello kubi1169,

Anyone who can help??


Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response.http://forums.spybot.info/showthread.php?t=288


If you have waited four days or longer for assistance, please start a topic in this sub-forum and post with a link back to your topic in the Malware forum, so that we know who you are and your topic is not archived.The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)

Regards.