Windows Defender Virus

[adkinsjr]

I have the Windows Defender Virus on my laptop. I ran a scan using Malwarebytes, but I'm afraid to remove the objects listed as "infected." There are some infected items in the registry, so I don't want to remove them without advice first.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3970

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

9/26/2010 12:27:50 PM
mbam-log-2010-09-26 (12-27-50).txt

Scan type: Quick scan
Objects scanned: 108577
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtuqezaxijoyiger (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksefuz (Trojan.Agent.U) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Jeremy\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\dindps0.dll (Trojan.Agent.U) -> No action taken.
C:\Users\Jeremy\AppData\Local\otibavuk.dll (Trojan.Agent.U) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.3605978487501691.exe (Trojan.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.874935173873987.exe (Trojan.Dropper) -> No action taken.

 

[johnb35]

Let malwarebytes remove whatever it finds as there is no need to worry about it deleting important entries.

However, the malwarebytes definitions are outdated and needs to be updated. Open malwarebytes and click on the update tab, then click on check for updates. Keep updating until it says you have the latest version then rescan your system and post its log along with a hijackthis log.

 

[adkinsjr]

Let malwarebytes remove whatever it finds as there is no need to worry about it deleting important entries.

However, the malwarebytes definitions are outdated and needs to be updated. Open malwarebytes and click on the update tab, then click on check for updates. Keep updating until it says you have the latest version then rescan your system and post its log along with a hijackthis log.

Ok, I got the updates and ran a scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

9/26/2010 11:56:20 PM
LOG 2

Scan type: Quick scan
Objects scanned: 120719
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtuqezaxijoyiger (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksefuz (Trojan.Agent.U) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Jeremy\AppData\Local\Temp\gmfrxpgv.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\nocrmweaxs.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\~TM2CB1.tmp (Trojan.Agent) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\e8xen8fgex.dll (Trojan.Agent) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\setup.exe (Trojan.Chifrax) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\dindps0.dll (Trojan.Agent.U) -> No action taken.
C:\Users\Jeremy\AppData\Local\otibavuk.dll (Trojan.Agent.U) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.3605978487501691.exe (Trojan.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.874935173873987.exe (Trojan.Dropper) -> No

 

[johnb35]

You still don't have the latest database for malwarebytes. Please keep updating until it says you have the latest version. Then rescan your system and post new logs. The latest database version as of now is 4703, you are using 4052. After posting the malwarebytes log and making sure everything is checked and click on remove selected, you need to post a hijackthis log.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

 

[adkinsjr]

Ok, here's the log from HIjackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:58 PM, on 9/27/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jeremy\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\Jeremy\AppData\Local\Temp\qxbad2lz.exe
C:\Users\Jeremy\AppData\Local\Temp\debug.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1156606.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80114&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114&lng=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80114
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Jeremy\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [icardial] rundll32 "C:\Users\Jeremy\AppData\Local\Temp\dvdpolor.dll",DllEntryPoint
O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\Jeremy\AppData\Local\Temp\e8xen8fgex.dll, RestoreWindows
O4 - HKCU\..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Users\Jeremy\AppData\Local\Temp\qxbad2lz.exe
O4 - HKCU\..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Users\Jeremy\AppData\Local\Temp\debug.exe
O4 - HKCU\..\Run: [Xtuqezaxijoyiger] rundll32.exe "C:\Users\Jeremy\AppData\Local\dindps0.dll",Startup
O4 - HKCU\..\Run: [Ksefuz] rundll32.exe "C:\Users\Jeremy\AppData\Local\otibavuk.dll",Startup
O4 - HKCU\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O20 - AppInit_DLLs:
O23 - Service: Google Update Service (gupdate1c9c2201c686ef0) (gupdate1c9c2201c686ef0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7258 bytes

 

[adkinsjr]

I should have the latest version now, 4704. Here's my log file for malwarebytes.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4704

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

9/27/2010 1:03:24 PM
LOG3

Scan type: Quick scan
Objects scanned: 140741
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
C:\Users\Jeremy\AppData\Local\Temp\qxbad2lz.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\debug.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
C:\Users\Jeremy\AppData\Local\otibavuk.dll (Trojan.Hiloti) -> No action taken.
C:\Users\Jeremy\AppData\Local\dindps0.dll (Trojan.Hiloti) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\e8xen8fgex.dll (Trojan.Ertfor) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksefuz (Trojan.Hiloti) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtuqezaxijoyiger (Trojan.Hiloti) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Ertfor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfe8owijfisjhgs7ye39gjsoighsd7y3eu (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Jeremy\AppData\Local\otibavuk.dll (Trojan.Hiloti) -> No action taken.
C:\Users\Jeremy\AppData\Local\dindps0.dll (Trojan.Hiloti) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\e8xen8fgex.dll (Trojan.Ertfor) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\qxbad2lz.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\debug.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.3605978487501691.exe (Trojan.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\0.874935173873987.exe (Trojan.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\1926cf5e.exe (Rootkit.TDSS.Gen) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\2176106496.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\3195762115.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\3899578819.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\89216a3e.exe (Trojan.FakeAlert) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\aowxmcrsen.exe (Trojan.Tracur) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\login.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\win.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\gmfrxpgv.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\nvsvc32.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\oscrnewmxa.exe (Trojan.Fraudpack) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\avp.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\avp32.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\cmd.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\google.exe (Trojan.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\hmbqe65xx.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\qRsBzRKfBk.exe (Trojan.Hiloti) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\nocrmweaxs.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\tf2jga.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\user.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\escamnoxrw.exe (Rootkit.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\setup.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\system.exe (Trojan.Downloader) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\~TM2CB1.tmp (Trojan.Agent) -> No action taken.
C:\Windows\Temp\esc4DFD.tmp (Rootkit.Dropper) -> No action taken.
C:\Users\Jeremy\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.

 

[johnb35]

Please post a fresh hijackthis log. I need to see if there are still a few bad entries in your log. You should always post a fresh hijackthis log AFTER running Malwarebytes.

Also, did you have malwarebytes remove those infections? It says no action taken.