BleepingComputer.com: infected with "windows security center" virus

.
DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
Run by wonoo-sony at 21:59:05.98 on Mon 04/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1618 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Users\wonoo-sony\AppData\Local\ixv.exe
C:\Windows\explorer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\wonoo-sony\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: vShare Toolbar: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [{E6CFCD35-93DF-79FF-4052-9C64B3819F12}] c:\users\wonoo-sony\appdata\roaming\ufifyc\puif.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Apoint] c:\program files\apoint\Apoint.exe
StartupFolder: c:\users\wonoo-~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll/206
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: ninjavideo.net\www
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxp://www.wooriwm.com/js/keyboard_e2e/scsk/SCSK4_VISTA.cab
DPF: {6ACE5675-7EE8-49CF-B550-933B6C8B05C2} - hxxp://www.wooriwm.com/ticker/WebTicker.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxp://download.softforum.co.kr/Published/XecureWeb/v7.2.3.3/xw_install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} - hxxp://www.wooriwm.com/id/certify/SKCommAX.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wonoo-~1\appdata\roaming\mozilla\firefox\profiles\l241sw93.default\
FF - component: c:\users\wonoo-sony\appdata\roaming\mozilla\firefox\profiles\l241sw93.default\extensions\vshare@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\program files\ahnlab\asp\components\aosmgr\npaosmgr.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\softforum\xecureweb\activex\npxwebplugin.dll
FF - plugin: c:\program files\softforum\xecureweb\activex\npxwebplugin_file.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: XULRunner: {D15620EB-3778-4A9A-87C7-B5922FF60A89} - c:\users\wonoo-sony\appdata\local\{D15620EB-3778-4A9A-87C7-B5922FF60A89}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 135664]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-10 24652]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-10 28464]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2009-8-10 75008]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2009-8-10 43904]
S3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2010-10-14 18360]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2010-10-14 191040]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2009-8-10 812544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-05 00:26:31 226425 --sha-w- c:\users\wonoo-~1\appdata\local\ixv.exe
2011-04-05 00:26:13 226425 --sha-w- c:\users\wonoo-~1\appdata\local\gqy.exe
2011-04-01 21:57:58 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0f5d32bd-bf73-475c-a695-664e5418c70c}\mpengine.dll
2011-03-21 14:02:08 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-03-20 12:16:20 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-03-20 12:16:15 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-03-20 12:16:15 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-03-20 12:11:22 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-03-20 12:11:22 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-03-20 12:11:22 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-03-20 12:11:22 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-03-20 12:11:22 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-03-19 17:48:09 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-03-19 17:48:07 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-03-19 17:46:55 866816 ----a-w- c:\windows\system32\wmpmde.dll
2011-03-19 12:34:26 -------- d-----w- C:\PerfLogs
.
==================== Find3M ====================
.
2011-03-19 12:22:47 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-03-19 12:22:41 82432 ----a-w- c:\windows\system32\axaltocm.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57:10 292352 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 22:00:09.83 ===============

I used to be able to remove this virus from my parent's laptop with ease... by force-running System Restore the instant the laptop started up... but now it seems that doesn't work. Neither in safe-mode. HELP!

I forbid all "walking viruses" to use my main computer.

"Vista Home Security - Unregistered Version"

i have not run combofix as it states not to unless requested. I tried the whole Rkill, eXplorer.exe, and mbam-setup.exe steps but those don't seem to work as well. Rkill opens up but eventually disappears, not doing anything to the malware, and the other 2 .exe files do not open at all. Please advise

EDIT: Posts merged ~BP

This post has been edited by Budapest: 05 April 2011 - 04:07 PM

Guess what? I found out how I could open .EXE files with this problem. I downloaded exefix_vista.reg and after running it on my problematic laptop, I was able to run the mbam-setup.exe to install MalwareBytes Anti-Malware. Now I am currently scanning my laptop for this crap and hopefully it will resolve the issue. I will update more as soon as I'm done scanning.

Completed scanning, got rid of the trojans, and I'm back in mother f'in business. Kudos to me. Here's the log created by Malwarebytes.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019

4/5/2011 8:23:02 PM
mbam-log-2011-04-05 (20-23-02).txt

Scan type: Full scan (C:\|)
Objects scanned: 241366
Time elapsed: 28 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{E6CFCD35-93DF-79FF-4052-9C64B3819F12} (Trojan.ZbotR.Gen) -> Value: {E6CFCD35-93DF-79FF-4052-9C64B3819F12} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\wonoo-sony\AppData\Local\Temp\00004e96 (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\mwnreoacsx.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\namexowcrs.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\hoagfk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\tmp42ebe015.exe (Trojan.PWS) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\BNCCBE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\C77F.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\CF9D.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\uhedyvt.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\eivtqgg.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\roumxi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\rropyvnl.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\rwmsaexcon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\RarSFX0\ezwi1810.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\RarSFX0\smwi1810.exe (Adware.BHO) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\virtualstore\Windows\System32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\downloads\gameztar_installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\clk345.nlss (Rootkit.Tiny) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\0.3004145351829225.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\wonoo-sony\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.