Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Some Type Of Virus/malware Help!


  • Please log in to reply
1 reply to this topic

#1 potential786

potential786

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 September 2008 - 11:17 AM

wacko.gif Really confused, normally I can get the AV software or Sypbot to remove whatever is causing the problem, however this time it did not work.

My wife visited some webiste which resulted in her being infected, Sophos Anti-virus picked up a an issue:

1) Sus/ComPack-C (unsure if this is related to the problem)

The following symptoms can be noted:

You have a security problem caption can be noted appearing in the task bar every minute, if you click on this it opens a browser which takes you to a SecureExpertCleaner website.

<hxxp://secureexpertcleaner.com/2009/4/?ex=1&ax=1&ed=2&h=10&sub=sxp&a=sxpthsm&l=1958&f=sp_1277761792&mt_info=6483_0_27302&rdr=1>

The site attempts to trick the user to download a virus protection program, indicating you do not have virus protection

Logs from Sophos Scan as follows:

20080914 134355 Scan 'New scan' started.
20080914 134412 Scanning "C:\Users\Shabana\ntuser.dat.LOG1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134412 Scanning "C:\Users\Shabana\ntuser.dat.LOG2" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbc2e.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbdam" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbdao" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbeam" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbeao" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbm" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbu2d.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbvm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\dbvmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\fii.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\fiih.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\hp" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\hpt2i.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\rpm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\rpm1m.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\rpm1mh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\rpmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-black-enchashm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-black-enchashmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-black-urlm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-black-urlmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-malware-domainm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-malware-domainmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-white-domainm.cf1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Google\Google Desktop\bb1d3f152e1f\safeweb\goog-white-domainmh.ht1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134413 Scanning "C:\Users\Shabana\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134601 Scanning "D:\Windows\security\database\secedit.sdb" returned SAV Interface error 0xa0040210: The file could not be accessed.
20080914 134809 The device "Computer\DVD RW Drive (E:)" is not ready.
20080914 134809 Scan 'New scan' completed.
20080914 134809 Summary of results for scan 'New scan':
Items scanned: 13569
Errors: 31
Items quarantined: 0
Items dealt with: 0

=============================================

I have run spybot search and destroy, however nothing was detected. I also run the immunize
option.

I then ran the Mcffee Stinger, however this again did not detect any issues.

I finally decided to use Hijack This by Trend to sumbit my logs for analysis as I believe this is a new newbie.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:45, on 14/09/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\OEM13Mon.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Shabana\AppData\Local\Temp\CFEB.tmp.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Users\Shabana\AppData\Local\Temp\b.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080823
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1080823
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3033548137-3165609897-172156329-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Shabana')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 8240 bytes




PLEASE HELP!!!


Edited by Orange Blossom, 11 February 2013 - 01:36 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 26 September 2008 - 03:46 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users