Would someone mind taking a look at my malwarebytes log

toejumper

Clicked on to the daily star web site earlier and got a bad infection, what ever it was totally disarmed all my security mse and windows defender, spent the last few hours scanning, malwarebytes found 3 infections, and spybot found none but windows told me there 29 infections. can someone please explain whats broken, thanks

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6563
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048
13/05/2011 15:33:14
mbam-log-2011-05-13 (15-33-14).txt
Scan type: Quick scan
Objects scanned: 154414
Time elapsed: 9 minute(s), 24 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
c:\Users\steph\AppData\Local\vmt.exe (Trojan.ExeShell.Gen) -> 4388 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\steph\AppData\Local\vmt.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\steph\AppData\Local\vmt.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Users\steph\local settings\application data\vmt.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

RussJK

What do you mean "windows told me there 29 infections"? That sounds like a fake antivirus warning - is that warning gone now?

1. Run HitmanPro (http://www.surfright.nl/en/hitmanpro)
2. Run Avast rootkit scanner (http://public.avast.com/~gmerek/aswMBR.htm)
3. Run TDSSkiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
4. Save HijackThis! to your desktop (http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe), then hold down LEFT SHIFT and RIGHT CLICK on it to Run as Administrator, then do Scan and Save log, and copy paste the log here. Also tell the outcome of the first 3 steps please.
5. Run TFC (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/), and afterwards restart the computer

You shouldn't have Windows Defender running if you have Microsoft Security Essentials by the way.

toejumper

That is what i thought so i ran a hijack this scan nothing found there. scaned with malwarebytes 3 infections found which i cleared, it was vista something or other, looked in windows security everything has been disarmed turned off, the vista thing said 29 infections. i unpluged the modem and unpluged the phone line while i did all the scans, i went into panic mode untill i cleaned my pc.

RussJK

The hijackthis scan isn't a virus scanner, it's a diagnostic tool to see if any system settings have been changed by malware. Please post the log.

Did you do any of the steps listed? You can't rely on just one malware scanner to give the all clear.

by the way, it was a good idea disconnecting the internet, stops this one from downloading further components. The risk is that it'll install a hidden infection known as a rootkit, hence the steps I listed.

toejumper

doing a aro scan now theres loads of errors

toejumper

1791 errors found and security is good, do i click fix errors now thanks

RussJK

toejumper wrote: »

doing a aro scan now theres loads of errors

Okay... I don't know why you are running a registry cleaner, but it's certainly not going to help with your situation one bit.

You came here for help remember.

toejumper

sorry pop up blocked it now down loading

toejumper

Thanks, windows defender isn't running but if i go to windows fire wall in control panel it tells me mse and pc tools firewall are on and running. but after i got the virus alert i went to control panel and everything had been turned off. I now hijack this isn't a security scanner, thanks really appreciate you taking your time to help with this.

toejumper

nothing found in hitman
heres the log for avast

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-13 19:37:26

---

19:37:26.023 OS Version: Windows 6.0.6002 Service Pack 2
19:37:26.023 Number of processors: 1 586 0x7F02
19:37:26.024 ComputerName: STEPH-PC UserName: steph
19:37:27.851 Initialize success
19:37:33.268 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000066
19:37:33.272 Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 6
19:37:35.285 Disk 0 MBR read successfully
19:37:35.289 Disk 0 MBR scan
19:37:35.295 Disk 0 unknown MBR code
19:37:37.300 Disk 0 scanning sectors +312578048
19:37:37.430 Disk 0 scanning C:\Windows\system32\drivers
19:37:43.647 Service scanning
19:37:45.481 Disk 0 trace - called modules:
19:37:45.518 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll tcpip.sys NETIO.SYS ndis.sys bcmwl6.sys nwifi.sys USBPORT.SYS usbehci.sys
19:37:45.523 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869f5a38]
19:37:45.529 3 CLASSPNP.SYS[8a9a08b3] -> nt!IofCallDriver -> [0x85daae00]
19:37:45.536 Scan finished successfully
19:37:58.434 Disk 0 MBR has been saved successfully to "C:\Users\steph\Documents\MBR.dat"
19:37:58.611 The log file has been saved successfully to "C:\Users\steph\Documents\aswMBR.txt"

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-13 19:41:23

---

19:41:23.718 OS Version: Windows 6.0.6002 Service Pack 2
19:41:23.719 Number of processors: 1 586 0x7F02
19:41:23.720 ComputerName: STEPH-PC UserName: steph
19:41:25.622 Initialize success
19:41:27.686 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000066
19:41:27.690 Disk 0 Vendor: Hitachi_ 1.10 Size: 152627MB BusType: 6
19:41:29.713 Disk 0 MBR read successfully
19:41:29.716 Disk 0 MBR scan
19:41:29.720 Disk 0 unknown MBR code
19:41:31.728 Disk 0 scanning sectors +312578048
19:41:31.764 Disk 0 scanning C:\Windows\system32\drivers
19:41:37.764 Service scanning
19:41:39.806 Disk 0 trace - called modules:
19:41:39.841 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys ahcix86s.sys ndis.sys ataport.SYS UBHelper.sys cdrom.sys msiscsi.sys portcls.sys rasacd.sys pctgntdi.sys PctWfpFilter.sys bowser.sys pctplfw.sys NETIO.SYS tcpip.sys dxgkrnl.???????entControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/mspeapuserpropertiesv1
19:41:39.847 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869f5a38]
19:41:40.021 3 CLASSPNP.SYS[8a9a08b3] -> nt!IofCallDriver -> [0x85daae00]
19:41:40.027 5 acpi.sys[8060c6bc] -> nt!IofCallDriver -> \Device\00000066[0x85d1bc90]
19:41:40.036 7 CLASSPNP.SYS[8a99f7ec] -> nt!IofCallDriver -> \Device\UBHelper0[0x871973d0]
19:41:40.046 9 UBHelper.sys[8071d040] -> nt!IofCallDriver -> \Device\00000067[0x85d1b8f0]
19:41:40.057 11 CLASSPNP.SYS[8a99f7ec] -> nt!IofCallDriver -> \Device\UBHelper0[0x871973d0]
19:41:40.069 13 UBHelper.sys[8071d040] -> nt!IofCallDriver -> \Device\00000067[0x85d1b8f0]
19:41:40.078 15 CLASSPNP.SYS[8a99f7ec] -> nt!IofCallDriver -> \Device\UBHelper0[0x871973d0]
19:41:40.090 17 UBHelper.sys[8071d040] -> nt!IofCallDriver -> \Device\00000067[0x85d1b8f0]
19:41:40.106 Scan finished successfully
19:41:52.565 Disk 0 MBR has been saved successfully to "C:\Users\steph\Documents\MBR.dat"
19:41:52.581 The log file has been saved successfully to "C:\Users\steph\Documents\aswMBR.txt"

RussJK

How did you go with the last few steps?