Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Insecure Internet Activity. Threat Of Virus Attack


  • This topic is locked This topic is locked
2 replies to this topic

#1 Brenton Reinke

Brenton Reinke

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 02 June 2008 - 01:22 AM

Hello, I recently ran into an annoying message that I would get almost everytime I tried to navigate between web pages. The message would come up saying "Insecure Internet Activity. Threat of Virus Attack" and would supply a link to a web page telling me I needed to download a program called "SpyGuard." After doing a little research I found out that it is a virus, and the program it wanted me to download is fake. So I did some further searching on how to remove this virus and came across this link http://www.bleepingcomputer.com/forums/top...tml#entry840027

I did everything that "Thunder" suggested. When I was finished running ComboFix, I was advised that I should post a log on here for a helper to further analyze. The problem seems to be resolved, but I figured I should post a log anyway.

Thanks
Brent

ComboFix 08-06-01.6 - Danielle 2008-06-01 23:54:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.431 [GMT -6:00]
Running from: C:\Documents and Settings\Danielle\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Danielle\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Danielle\Application Data\FunWebProducts
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-01 23:28 . 2008-06-01 23:28 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-01 23:28 . 2008-06-01 23:28 d-------- C:\Documents and Settings\Danielle\Application Data\Malwarebytes
2008-06-01 23:28 . 2008-06-01 23:28 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-01 23:28 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-01 23:28 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-01 22:52 . 2008-06-01 22:52 d-------- C:\WINDOWS\system32\bits
2008-06-01 22:52 . 2007-03-29 06:56 409,600 --------- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-06-01 22:52 . 2007-03-29 06:56 18,944 --------- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-06-01 22:52 . 2007-03-29 06:56 8,192 --------- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-06-01 22:52 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-01 22:52 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-06-01 22:52 . 2007-03-29 06:56 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-01 21:17 . 2008-06-01 22:43 d-------- C:\Program Files\Windows Live Safety Center
2008-05-31 21:27 . 2008-05-31 21:40 4,614 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-31 21:26 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-31 21:26 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-31 21:26 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-31 21:26 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-31 21:26 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-31 21:26 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-31 21:26 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-31 21:26 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-16 22:11 . 2008-05-20 20:55 d-------- C:\Documents and Settings\Danielle\Application Data\Restorer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 05:39 --------- d-----w C:\Program Files\Candystand Toolbar
2008-06-02 05:01 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Skype
2008-06-02 03:04 --------- d-----w C:\Program Files\MySpace
2008-05-31 22:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-31 22:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-31 22:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-31 22:20 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-31 22:20 --------- d-----w C:\Program Files\Symantec
2008-05-31 22:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-31 22:11 --------- d-----w C:\Program Files\WildTangent
2008-05-31 22:09 --------- d-----w C:\Program Files\igLoader
2008-05-28 03:12 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-28 02:53 --------- d-----w C:\Program Files\MSN Messenger
2008-05-28 02:45 --------- d-----w C:\Program Files\Yahoo! Games
2008-05-28 02:45 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Gamelab
2008-05-28 01:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 03:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-22 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2008-04-22 02:39 --------- d-----w C:\Program Files\Build-a-lot 2 - Town of the Year
2008-04-22 02:35 --------- d-----w C:\Program Files\bfgclient
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-03 04:37 0 ----a-w C:\Program Files\temp01
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-05 05:03 56 --sh--r C:\WINDOWS\system32\4CA4B3F7BA.sys
2007-11-07 03:25 88 --sh--r C:\WINDOWS\system32\BAF7B3A44C.sys
2007-11-07 03:25 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 04:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-04-27 13:04 6856704]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32 25365032]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 09:29 50736]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49 4670968]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 16:08 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 03:48 761947]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 08:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 08:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 08:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 14:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-01-09 10:33 417792 C:\WINDOWS\stsystra.exe]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 02:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 14:57 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 17:22 53096]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 12:01 1537640]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 18:05 1117184]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04 321088]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-08-06 10:48 1450096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41 49152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-25 21:14:35 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-06-04 13:18]
S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 20:30]
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 20:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 01:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-24 02:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Danielle.job"
- C:\PROGRA~1\NORTON~2\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 23:55:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 23:57:33
ComboFix-quarantined-files.txt 2008-06-02 05:57:02

Pre-Run: 22,653,988,864 bytes free
Post-Run: 22,999,707,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

184 --- E O F --- 2008-05-29 02:58:07

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 12 June 2008 - 04:17 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

You want to be careful running fixes for other computers, rarely is the malware exactly the same. Having done it, post a Hijackthis log and tell me about any malware issues. I will be glad to take a look.

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 20 June 2008 - 10:11 AM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users