Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Protection/Defender.exe


  • This topic is locked This topic is locked
71 replies to this topic

#1 lostinhell

lostinhell

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 15 October 2011 - 09:33 PM

My name tells it all. I cannot open internet explorer. I can not open any malwarebyte, bitdefender, or other scanners for this virus. When I do, if they start, after 10 seconds, they close. I can open firefox, and go to any website, but the "noblesearchsystem.com" website pops up every 5 minutes. When I tried to scan with gmer, it closed after 10 seconds. After renaming to merg, it closed after 10 seconds. Also, I have to logon as anksnother user, disable defender.exe in task manager before I can open task manager or firefox as my user name. And I cannot stop the process that is all numbers. Thanks for looking at this and for your help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Run by Hansel at 20:36:38 on 2011-10-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1227 [GMT -5:00]
.
AV: BitDefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: BitDefender Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\623904815:3505901530.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\s&d\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient_2.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Security Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [appscanbase.exe] "c:\windows\appscanbase.exe"
mRun: [utilman] %APPDATA%\utilman.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [winPadusb] rundll32.exe "c:\documents and settings\networkservice\local settings\application data\hpobjppm\winPadusb.dll",mfcPadclass acxmapdlg
dRun: [iMXxHFmRWxGIKn] c:\documents and settings\all users\application data\iMXxHFmRWxGIKn.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\s&d\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: dla.mil\www.drms
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.159.64.23 97.81.22.195 66.189.0.100
TCP: Interfaces\{B1302E1D-5359-49CD-B160-1056F7538288} : DhcpNameServer = 24.159.64.23 97.81.22.195 66.189.0.100
Filter: text/html - {45ec69dd-f6b0-4083-8610-dfa1146ecf3e} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 wvauth
LSA: Notification Packages = scecli sorifere.dll
mASetup: {4D3B13AF-559D-4427-A598-227ECC4833C2} - rundll32.exe "c:\documents and settings\admin\application data\remote\srjmh47.dll", UnregisterDll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 95.64.61.145 www.google.com
Hosts: 95.64.61.146 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hansel\application data\mozilla\firefox\profiles\9qtroj4n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z125&install_date=20110812
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z125&form=ZGAADF&install_date=20110812&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\documents and settings\hansel\application data\mozilla\firefox\profiles\9qtroj4n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\hansel\application data\mozilla\firefox\profiles\9qtroj4n.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(extentions.y2layers.installId, 5d61b45d-6d76-40e1-a34c-89affe65f402
FF - user.js: extentions.y2layers.installId - 7d228cef-5b06-44c6-a402-76966d52d198
FF - user.js: extentions.y2layers.installId - 21f6049d-362c-4723-8322-1f5f71a9f55b
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-9-4 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-9-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-9-4 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2011-9-4 297752]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-12 104456]
S2 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-23 133104]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2009-1-17 99248]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-23 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
.
=============== Created Last 30 ================
.
2011-10-14 00:31:12 -------- d-----w- c:\documents and settings\hansel\local settings\application data\Solid State Networks
2011-10-14 00:01:30 998292 ----a-w- c:\documents and settings\all users\SPL10.tmp
2011-10-10 12:50:44 530312 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-10-10 12:43:27 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-10 12:43:20 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-03 22:08:06 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2011-09-04 13:49:30 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-09-04 13:49:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-09-04 13:49:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-09-04 01:59:28 896000 ----a-w- c:\documents and settings\all users\application data\defender.exe
2011-09-04 00:34:14 896000 ---ha-w- c:\documents and settings\all users\application data\3543.tmp
2011-09-04 00:32:08 896000 ---ha-w- c:\documents and settings\all users\application data\B1CF.tmp
2011-09-04 00:31:37 896000 ---ha-w- c:\documents and settings\all users\application data\C580.tmp
2011-09-03 20:19:52 4194304 ---ha-w- c:\windows\system32\iahonoel.dll
2011-09-02 13:40:30 0 ---ha-w- c:\windows\Ypujitamagabo.bin
2011-08-20 17:00:30 81984 ---ha-w- c:\windows\system32\bdod.bin
2011-07-20 12:50:58 3532 ---ha-w- C:\drmHeader.bin
.
============= FINISH: 20:39:31.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:17 AM

Posted 16 October 2011 - 04:27 AM

Hello lostinhell ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Bitdefender.


We need to uninstall AVG because it will conflict with our tools.


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.

Next please download AVG Remover and save it to your desktop.

Run it to remove all leftovers from AVG. After this, please restart your computer.



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi

Edited by B-boy/StyLe/, 16 October 2011 - 04:29 AM.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#3 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 07:58 AM

Hello Georgi,

Thanks for your help. I have tried to uninstall AVG and it will not finish. I have pasted the response given as the error.

Its popsup "uninstall failed. One error and one warning occurred. click details." Pasted here are the details.


Local machine: installation failed
Initialization:
Warning: Checking of state of the item file avgcsrvx.exe failed.
File opening failed. %FILE% = ""
Error 0xe001042c
Installation:
Error: Action failed for file avgcsrvx.exe: creating backup....
Error 0x80070005 %DESTINATION% = "C:\Program Files\AVG\AVG8\avgcsrvx.exe.install_backup", %SOURCE% = "C:\Program Files\AVG\AVG8\avgcsrvx.exe"

I have not proceeded to next step with Combofix. What is my next step?

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:17 AM

Posted 16 October 2011 - 08:21 AM

Hi,



Did you try to uninstall it with the official uninstaller I gave you - AVG Remover ?

If no joy please download and install Revo Uninstaller 1.93.
Then please run Revo Uninstaller and select AVG.
Please click Uninstall icon to uninstall the selected program.
Please choose Advanced.
Then click Next and follow the prompts.
Please click Select All and Delete to delete all registry items, folders and files listed by Revo.
If asked to restart the computer, please do so immediately.



If no joy again, it is possible that the avg files are locked by the infection.
Before I try to unlock them let's try to remove the main rootkit component first so please try to run Combofix.
Let me know about the results.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#5 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 09:02 AM

Revo did remove avg. I am running combo and it was running fine til it popped up and said root access was in the tp stack and was going to reboot. It instructed me not to reboot myself but now it seems to be locked up with the blank background screen. It has been that way for ten minutes. Should I reboot?

#6 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 09:24 AM

Hi Georgia
I went ahead and rebooted. Combofix is running thru its stages. Will send log when completed.
Hansel

#7 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 09:26 AM

Sorry about the "a", Georgi. Last two replies are from my cell phone.
Hansel

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:17 AM

Posted 16 October 2011 - 10:04 AM

Hi,


Not a problem about the "a". :)
Please keep me posted about the results.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#9 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 10:31 AM

Georgi,

Here is the combofix report as an attachment. Let me know what I need to do next.

thanks, Hansel

Attached Files



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:17 AM

Posted 16 October 2011 - 10:43 AM

Hi Hansel,



Is this a laptop PC ? If so could you please tell me the exact model of your laptop ?

We need to download and reinstall the programs that were deleted by Combofix. (since they were infected by the rootkit).



  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.



I'll be away for awhile.
In the meantime please do this:


I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#11 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 10:51 AM

Georgi,

here is the report.


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\autoruns.exe: Access is denied.



Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.



Failed to open \\?\c:\\ComboFix\PV.3XE: Access is denied.


...

..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.


.
Failed to open \\?\c:\\Documents and Settings\All Users\Documents\genericvir.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Documents\jonesfile.exe: Access is denied.




...

...

...

...
Failed to open \\?\c:\\Documents and Settings\Hansel\Desktop\gmer.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Hansel\Desktop\merg.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Hansel\Desktop\procexp.exe: Access is denied.




..
Failed to open \\?\c:\\Documents and Settings\Hansel\My Documents\Downloads\avg_remover_stf_x86_2012_1796.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Hansel\My Documents\Downloads\iExplore.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Hansel\My Documents\Downloads\winlogin.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Hansel\My Documents\Downloads\ProcessExplorer\winlogin.exe: Access is denied.


.

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\BitDefender\BitDefender 2009\bdagent.exe: Access is denied.



Failed to open \\?\c:\\Program Files\BitDefender\BitDefender 2009\uiscan.exe: Access is denied.



Failed to open \\?\c:\\Program Files\BitDefender\BitDefender 2009\vsserv.exe: Access is denied.


.

...

...
Failed to open \\?\c:\\Program Files\dam\dam.com: Access is denied.




...

...
Failed to open \\?\c:\\Program Files\Internet Explorer\iexplore.exe: Access is denied.




...

...


Failed to open \\?\c:\\Program Files\Mal\1111.com.exe: Access is denied.


...

...

..
Failed to open \\?\c:\\Program Files\Mozilla Firefox\plugin-container.exe: Access is denied.


.

...
Failed to open \\?\c:\\Program Files\S&D\TeaTimer.exe: Access is denied.




...

...

...

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\TeaTimer.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\caff174c-9fe5-434e-9fef-73d85c2ebabc.com: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.


...

.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


..

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe: Access is denied.


...

...

...

...
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.




...

...

.No reparse points found.



I will do the scan now. Hansel

#12 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 10:53 AM

I forgot to post that this is a laptop. Dell latitiude D820

#13 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 12:06 PM

Georgi,

Here is the ESET Scan. It don't look nice.

C:\Documents and Settings\ADMIN\Desktop\raidone.exe a variant of Win32/Adware.OpenInstall application
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\56\3960bb8-60fbd4a6 a variant of Win32/Kryptik.TLP trojan
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\58\37e3e83a-71d210bd a variant of Java/Agent.DU trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-15c7fe9b Java/Agent.DM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\57013be3-108c8917 a variant of Win32/Kryptik.SNZ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\3d29f53b-4b5056d5 a variant of Java/Agent.DM trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\46b84006-66f9d7c6 a variant of Win32/Kryptik.SKF trojan
C:\Program Files\BitDefender\BitDefender 2009\as2core\antispam_sig_106659\as2sign.slf HTML/Iframe.B.Gen virus
C:\Program Files\BitDefender\BitDefender 2009\as2core\antispam_sig_106700\as2sign.slf HTML/Iframe.B.Gen virus
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Documents and Settings\ADMIN\Application Data\Remote\srjmh47.dll.vir Win32/AutoRun.Spy.Ambler.NAF worm
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\3543.tmp.vir a variant of Win32/Kryptik.SJO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\B1CF.tmp.vir a variant of Win32/Kryptik.SJO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\C580.tmp.vir a variant of Win32/Kryptik.SJO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\defender.exe.vir a variant of Win32/Kryptik.SJO trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Dell\QuickSet\NICCONFIGSVC.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\EvtEng.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\RegSrvc.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\S24EvMon.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Intel\Wireless\Bin\WLKeeper.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToOLbar32.dll.vir a variant of Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\SUPERAntiSpyware\SASCORE.EXE.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Wave Systems Corp\common\DataServer.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxdccoms.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan
C:\TDSSKiller_Quarantine\03.10.2011_17.07.20\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.DM trojan
C:\TDSSKiller_Quarantine\03.10.2011_17.07.20\susp0000\svc0000\tsk0000.dta Win32/Sirefef.CT trojan
C:\WINDOWS\system32\drivers\redbook.svs a variant of Win32/Rootkit.Kryptik.DM trojan
C:\WINDOWS\system32\drivers\redbook.sys a variant of Win32/Rootkit.Kryptik.DM trojan

I await your return. thanks a million.

Hansel

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:17 AM

Posted 16 October 2011 - 04:44 PM

Hi Hansel,


STEP 1


Please download GrantPerms.zip and save it to your desktop.
Unzip the file and run GrantPerms.exe
Copy and paste the following in the edit box:

c:\autoruns.exe
c:\ComboFix\PV.3XE
c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
c:\Documents and Settings\All Users\Documents\genericvir.exe
c:\Documents and Settings\All Users\Documents\jonesfile.exe
c:\Documents and Settings\Hansel\Desktop\gmer.exe
c:\Documents and Settings\Hansel\Desktop\merg.exe
c:\Documents and Settings\Hansel\Desktop\procexp.exe
c:\Documents and Settings\Hansel\My Documents\Downloads\avg_remover_stf_x86_2012_1796.exe
c:\Documents and Settings\Hansel\My Documents\Downloads\iExplore.exe
c:\Documents and Settings\Hansel\My Documents\Downloads\winlogin.exe
c:\Documents and Settings\Hansel\My Documents\Downloads\ProcessExplorer\winlogin.exe
c:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
c:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
c:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
c:\Program Files\dam\dam.com
c:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Mal\1111.com.exe
c:\Program Files\Mozilla Firefox\plugin-container.exe
c:\Program Files\S&D\TeaTimer.exe
c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\Program Files\SUPERAntiSpyware\caff174c-9fe5-434e-9fef-73d85c2ebabc.com
c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\Qoobox\BackEnv
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\WINDOWS\system32\MRT.exe


Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.



STEP 2


We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :files
    C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\56\3960bb8-60fbd4a6
    C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\6.0\58\37e3e83a-71d210bd
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\76b5d642-15c7fe9b
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\35\57013be3-108c8917
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\3d29f53b-4b5056d5
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\46b84006-66f9d7c6
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.



STEP 3



Please read carefully and follow these steps.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Please delete your copy of TDSSKiller and download the latest version from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application.
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Regards,
Georgi

Edited by B-boy/StyLe/, 16 October 2011 - 04:45 PM.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#15 lostinhell

lostinhell
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 October 2011 - 05:25 PM

Georgi,

what is OTL? I don't recall using that before. Here is the post from grantperm.

GrantPerms by Farbar
Ran by Hansel at 2011-10-16 17:19:36

===============================================
\\?\c:\autoruns.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\ComboFix\PV.3XE

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\All Users\Documents\genericvir.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\All Users\Documents\jonesfile.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\Desktop\gmer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\Desktop\merg.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\Desktop\procexp.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\My Documents\Downloads\avg_remover_stf_x86_2012_1796.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\My Documents\Downloads\iExplore.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\My Documents\Downloads\winlogin.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Documents and Settings\Hansel\My Documents\Downloads\ProcessExplorer\winlogin.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\BitDefender\BitDefender 2009\uiscan.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\dam\dam.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Internet Explorer\iexplore.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Mal\1111.com.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Mozilla Firefox\plugin-container.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\S&D\TeaTimer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\SUPERAntiSpyware\caff174c-9fe5-434e-9fef-73d85c2ebabc.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\Qoobox\BackEnv

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
BUILTIN\Administrators FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)


\\?\c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\WINDOWS\system32\MRT.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users