TechSpot

Need help with malware and HJT results

By MysticBlueRaven
Apr 22, 2011
  1. I need some help with my husband laptop. I ran HJT and this is what the results are.
    Not sure what to next.

    [HJT log removed - Broni]

    I also ran Malwarebytes' Anti-Malware



    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6420

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/22/2011 2:06:57 PM
    mbam-log-2011-04-22 (14-06-48).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 228873
    Time elapsed: 50 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} (Adware.Need2Find) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\WRC\Desktop\televisionfanatic(2).exe (Adware.FunWeb) -> No action taken.
    c:\documents and settings\WRC\Desktop\televisionfanatic.exe (Adware.FunWeb) -> No action taken.
    c:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
    c:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.



    Thank you very much for all your help
     
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    Your MBAM log shows "No action taken" after each line.
    Re-run it, FIX all issues and post new log.
     
  3. MysticBlueRaven

    MysticBlueRaven TS Rookie Topic Starter

    I forgot to add that my the following information, I ran my anti-virus program Norton security suite and nothing showed up and it is up to date. I also ran spyblot search and destroy and nothing showed up. Will post more after I do what the link ask me to do. Thank you very much for your help
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Sure thing :)
     
  5. MysticBlueRaven

    MysticBlueRaven TS Rookie Topic Starter

    I done everything the 8 step removal,except the last one. I ran into a problem. Explorer keep closing on me and his computer freezes when I try to save text in another log. I will post more when I figure out what is going on
     
  6. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Which exact step is giving you problems?
     
  7. MysticBlueRaven

    MysticBlueRaven TS Rookie Topic Starter

    Right now is saving the text files dds and attach logs to the desktop, notepad keeps freezing
     
  8. MysticBlueRaven

    MysticBlueRaven TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6441

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/25/2011 10:51:24 AM
    mbam-log-2011-04-25 (10-51-24).txt

    Scan type: Quick scan
    Objects scanned: 154031
    Time elapsed: 4 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} (Adware.Need2Find) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\WRC\Desktop\televisionfanatic(2).exe (Adware.FunWeb) -> Quarantined and deleted successfully.
    c:\documents and settings\WRC\Desktop\televisionfanatic.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
    c:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
     
  9. MysticBlueRaven

    MysticBlueRaven TS Rookie Topic Starter

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-25 12:58:28
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BB2O
    Running: 7wd47w9g.exe; Driver: C:\DOCUME~1\WRC\LOCALS~1\Temp\fxdyapog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 89889960 ZwAlertResumeThread
    SSDT 89889A40 ZwAlertThread
    SSDT 898E2A10 ZwAllocateVirtualMemory
    SSDT 89A42348 ZwAssignProcessToJobObject
    SSDT 89C5F348 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0x9BD10210]
    SSDT 8963B1A0 ZwCreateMutant
    SSDT 8967C140 ZwCreateSymbolicLinkObject
    SSDT 89BC3AE8 ZwCreateThread
    SSDT 89661070 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0x9BD10490]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9BD109F0]
    SSDT 89873450 ZwDuplicateObject
    SSDT 895FE160 ZwFreeVirtualMemory
    SSDT 896710D0 ZwImpersonateAnonymousToken
    SSDT 896711B0 ZwImpersonateThread
    SSDT 89B64110 ZwLoadDriver
    SSDT 89BBF888 ZwMapViewOfSection
    SSDT 8963B0C0 ZwOpenEvent
    SSDT 898EF738 ZwOpenProcess
    SSDT 89873390 ZwOpenProcessToken
    SSDT 8962F0D0 ZwOpenSection
    SSDT 898EF648 ZwOpenThread
    SSDT 89A42258 ZwProtectVirtualMemory
    SSDT 898853C8 ZwResumeThread
    SSDT 8964E3E0 ZwSetContextThread
    SSDT 8961E0C0 ZwSetInformationProcess
    SSDT 89661150 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9BD10C40]
    SSDT 8962F1B0 ZwSuspendProcess
    SSDT 898854A8 ZwSuspendThread
    SSDT 898B1948 ZwTerminateProcess
    SSDT 8964E300 ZwTerminateThread
    SSDT 8961E1B0 ZwUnmapViewOfSection
    SSDT 898E2920 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    ? knyassna.sys The system cannot find the file specified. !
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device 9A782D20

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...