Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Security pop up! Infected computer


  • Please log in to reply
1 reply to this topic

#1 sweetangel25

sweetangel25

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 December 2008 - 11:46 AM

My computer has this pop up window that constantly warns me that my computer is infected with a worm that's trying to access my credit card information and passwords stored on the computer. It asks that i immediatly click on their link to buy their software or my computer will crash. It also says that it has found 38 viruses and that i need to act immediatly before is too late. I have McAfee anti virus and it has not gotten rid of the problem. The system is System Security for my PC supposably. Please help. It tells me that the worm is Lsas.Blaster. Keyloger that is trying to gain access to my personal information. I've also done the Malwarebyte's Antimalware scan but it didn't help.



DDS (Version 1.1.0) - NTFSx86
Run by Gus at 8:02:02.90 on Wed 12/24/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.201

[GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Documents and Settings\All Users\Application

Data\1806819817\1248639046.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Yahoo! Toolbar Helper:

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper:

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper:

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO:

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar:

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -

c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft

activesync\wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang

1033
mRun: [GrooveMonitor] "c:\program files\microsoft

office\office12\GrooveMonitor.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100

series\lxbfbmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader

8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program

files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [1248639046] "c:\documents and settings\all users\application

data\1806819817\1248639046.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe"

/runkey
StartupFolder: c:\docume~1\gus\startm~1\programs\startup\onenot~1.lnk -

c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
Handler: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook:

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} -

c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys

[2008-6-27 207656]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program

files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program

files\mcafee\siteadvisor\McSACore.exe" [2008-12-23 206112]
R2 McProxy;McAfee Proxy

Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-23

358736]
R2 McShield;McAfee Real-time

Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-23 144704]
R3 McSysmon;McAfee

SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-23

605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys

[2008-12-23 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys

[2008-12-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys

[2008-12-23 40488]
S2 0205061230078415mcinstcleanup;McAfee Application Installer Cleanup

(0205061230078415);c:\docume~1\gus\locals~1\temp\020506~1.exe

c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service

[]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys

[2008-12-23 34152]

=============== Created Last 30 ================

2008-12-23 19:30 <DIR> --d-----

c:\docume~1\gus\applic~1\Malwarebytes
2008-12-23 19:30 15,504 a-------

c:\windows\system32\drivers\mbam.sys
2008-12-23 19:30 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 19:30 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 19:30 <DIR> --d----- c:\program files\Malwarebytes'

Anti-Malware
2008-12-23 16:37 5,313 a------- c:\windows\system32\Config.MPF
2008-12-23 16:27 40,488 a-------

c:\windows\system32\drivers\mfesmfk.sys
2008-12-23 16:27 79,240 a-------

c:\windows\system32\drivers\mfeavfk.sys
2008-12-23 16:27 35,240 a-------

c:\windows\system32\drivers\mfebopk.sys
2008-12-23 16:27 120,136 a-------

c:\windows\system32\drivers\Mpfp.sys
2008-12-23 16:25 <DIR> --d----- c:\program files\common

files\McAfee
2008-12-23 16:25 <DIR> --d----- c:\program files\McAfee.com
2008-12-23 16:24 <DIR> --d----- c:\program files\McAfee
2008-12-23 16:18 34,152 a-------

c:\windows\system32\drivers\mferkdk.sys
2008-12-23 12:15 <DIR> --d-----

c:\docume~1\alluse~1\applic~1\1806819817
2008-11-25 09:02 272,128 -c------

c:\windows\system32\dllcache\bthport.sys
2008-11-25 09:02 138,496 -c------

c:\windows\system32\dllcache\afd.sys
2008-11-25 09:02 333,824 -c------

c:\windows\system32\dllcache\srv.sys
2008-11-25 09:01 1,846,400 -c------

c:\windows\system32\dllcache\win32k.sys
2008-11-25 09:01 2,145,280 -c------

c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-25 09:01 2,189,184 -c------

c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-25 09:01 2,023,936 -c------

c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-25 09:01 2,066,048 -c------

c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-25 09:01 203,136 -c------

c:\windows\system32\dllcache\rmcast.sys
2008-11-25 09:00 455,296 -c------

c:\windows\system32\dllcache\mrxsmb.sys
2008-11-25 09:00 691,712 -c------

c:\windows\system32\dllcache\inetcomm.dll
2008-11-25 09:00 337,408 -c------

c:\windows\system32\dllcache\netapi32.dll
2008-11-25 08:39 <DIR> --d----- c:\windows\system32\scripting
2008-11-25 08:39 <DIR> --d----- c:\windows\l2schemas
2008-11-25 08:39 <DIR> --d----- c:\windows\system32\en
2008-11-25 08:39 <DIR> --d----- c:\windows\system32\bits

==================== Find3M ====================

2008-11-25 08:51 86,327 a-------

c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 8:03:51.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 911 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:09:54 AM

Posted 05 January 2009 - 10:04 PM

Welcome to BC :thumbsup:


Sorry for the delay, we have been extremely busy. Since its been a few weeks, please post a fresh DDS log. Thanks
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users