Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected -System Security Ver. 4.51!@? -wallpaper+popups


  • This topic is locked This topic is locked
9 replies to this topic

#1 justtani

justtani

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 14 June 2009 - 10:03 PM

I do not know how this started or exactly what it is because it's on my 17yo daughter's laptop not mine thankfully. She came to me in tears, "Mom, I have a viruuuus!". Now she seems to be going through anime withdrawals so ->
I booted her laptop in safe mode- ran rougefix which found nothing. Tried normal mode and it seems to have overtaken everything... firefox, ie, the wallpaper, all saying the machine is infected yada yada... the only thing I could catch that seemed to indicate a name was System Security Version 4.51.
In her add/remove programs I found and removed 3 things; Internet Speed Monitor, Search Assist, and URL Assistant. These left the list but may not be gone just thought it might help to include that detail.
I'm working from my netbook to post here because her machine is so annoying with these symptoms... I used a jump drive to transfer dds to her machine with it in safe mode and ran it, saved the logs to the jump drive and will post them here via my netbook _ I'm worried that I should have run the dds in normal mode but did it in safe mode instead so if I need to do it again let me know and i will- btw I think what you guys do is fantastic, and I thank you in advance for your help. Without further addo here is the dds log:


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Noel at 20:24:14.48 on Sun 06/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1.#QNAN.565 [GMT -6:00]

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Noel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {8f8a7ce5-afb9-4c8b-8bcf-2a747c3da922} - c:\windows\system32\opnkjJyY.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [16343434] c:\documents and settings\all users\application data\16343434\16343434.exe
mRun: [96353426] c:\documents and settings\all users\application data\96353426\96353426.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by122fd.bay122.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnkjJyY

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\noel\applic~1\mozilla\firefox\profiles\l5jw6l4g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 80.238.136.213:80
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13);user_pref(general.useragent.extra.zencast,
============= SERVICES / DRIVERS ===============

S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]

=============== Created Last 30 ================

2009-06-12 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\96353426
2009-06-12 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16343434
2009-06-04 13:48 3,247 a------- c:\windows\system32\wbem\Outlook_01c9e54d754d1c00.mof
2009-06-02 19:59 552 a------- c:\windows\system32\DO_NOT_DELETE.backupSetID
2009-05-28 22:19 <DIR> --dsh--- c:\documents and settings\noel\IECompatCache
2009-05-28 21:58 <DIR> --dsh--- c:\documents and settings\noel\PrivacIE
2009-05-25 09:04 <DIR> --dsh--- c:\documents and settings\noel\IETldCache
2009-05-25 00:44 <DIR> --d----- c:\windows\ie8updates
2009-05-25 00:43 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-25 00:39 78,336 a------- c:\windows\system32\ieencode.dll
2009-05-25 00:39 78,336 a------- c:\windows\system32\dllcache\ieencode.dll

==================== Find3M ====================

2009-04-21 14:38 32,628 a------- c:\docume~1\noel\applic~1\wklnhst.dat
2009-03-21 08:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-01-10 23:47 673,574 a--sh--- c:\windows\system32\YyJjknpo.ini2
2009-01-11 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011120090112\index.dat

============= FINISH: 20:26:18.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 15 June 2009 - 11:09 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 justtani

justtani
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 15 June 2009 - 01:45 PM

ok, I downloaded malwarebytes to my usb drive and then booted the infected pc in safe mode with networking... copied the setup file to the desktop and double clicked to install . got the hourglass like it was going to install but nothing happened so I'm rebooting in normal mode to try again to install. This takes forever due to whatever is loading or trying to load I'm guessing; I will try to explain; The cursor turns to the hourglass and arrow, while the desktop icons and wallpaper are there, the taskbar, time, and start button are all blocked out with solid blue and while the touchpad responds, nothing is accessable and no key combos work to open the task manager, win explorer or start menu... ten minutes later ... power off.... wait 5 minutes and power back on.
and here wwe go... it won't let anything run when I try to open the malware bytes file it tells me that "application cannot be executed. The file mbam-setup.exe is infected Please activate your antivirus software" It is System Security 2009 it is blocking everything and I dont know how to get it to stop. It keeps opening browser windows, and is even blocking me from running the taskmanager. What do I do now?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 16 June 2009 - 08:49 AM

Let's work around that little issue for now and then we'll come back to malwarebytes shortly.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 justtani

justtani
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 16 June 2009 - 11:43 AM

OK Sam (thank you again) and here we go.. in safe mode with networking - I renamed combofix - combo-fix and tried to run it. Got the error that Live OneCare was still running so using the run / cmd /
sc config msfwhlpr start= disabled
sc config msfwdrv start= disabled
sc config msfwsvc start= disabled
sc config mpfilter start= disabled
sc config onecaremp start= disabled
sc config winss start= disabled Restarted and began combofix

Again recieved the error that Live OneCare was still running - but I know that it isn't so I let combofix run.

Recovery console needed to install so I did that and Restarted. This time there was a new option in the os boot menu = recovery console... I chose XP instead because I was not sure o.O Now combo fix is running.... it found a bunch of files and -> completed all it's stages and -> rebooted the machine. ->->AND here is your log :thumbup2: I hope someone is proud of me :)

ComboFix 09-06-15.07 - Noel 06/16/2009 10:22.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.726 [GMT -6:00]
Running from: c:\documents and settings\Noel\Desktop\Combo-Fix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16343434
c:\documents and settings\All Users\Application Data\96353426
c:\windows\system32\drivers\kungsfwepljkjt.sys
c:\windows\system32\drivers\UACvbwdooqroairkaj.sys
c:\windows\system32\UACdadmjbvajpkpmbr.dll
c:\windows\system32\UACfktpjplwuuhtseo.dat
c:\windows\system32\UACfrjeuwauhqanhnv.dll
c:\windows\system32\UACmpecvvimpokaavn.dll
c:\windows\system32\UACoktddsksmlhxiil.log
c:\windows\system32\UACoportnxngtaqomi.dll
c:\windows\system32\UACoyrnkoctjvkheir.db
c:\windows\system32\UACslterxghcoomckm.dll
c:\windows\system32\UACwfnhgoxdybsxnky.log
c:\windows\system32\UACxeqirbdkhjduoch.log
c:\windows\system32\UACxxgqxsahsnlnmxk.dll
c:\documents and settings\All Users\Application Data\16343434\16343434.exe
c:\documents and settings\All Users\Application Data\16343434\16343434.glu
c:\documents and settings\All Users\Application Data\16343434\pc16343434cnf
c:\documents and settings\All Users\Application Data\16343434\pc16343434ins
c:\documents and settings\All Users\Application Data\96353426\96353426.exe
c:\windows\system32\btksufid.ini
c:\windows\system32\drivers\kungsfwepljkjt.sys
c:\windows\system32\drivers\UACvbwdooqroairkaj.sys
c:\windows\system32\kungsfbdmyujkc.dll
c:\windows\system32\kungsfgowkdjel.dll
c:\windows\system32\kungsfxyheepin.dat
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\UACdadmjbvajpkpmbr.dll
c:\windows\system32\UACfktpjplwuuhtseo.dat
c:\windows\system32\UACfrjeuwauhqanhnv.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmpecvvimpokaavn.dll
c:\windows\system32\UACoktddsksmlhxiil.log
c:\windows\system32\UACoportnxngtaqomi.dll
c:\windows\system32\UACoyrnkoctjvkheir.db
c:\windows\system32\UACslterxghcoomckm.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACwfnhgoxdybsxnky.log
c:\windows\system32\UACxeqirbdkhjduoch.log
c:\windows\system32\UACxxgqxsahsnlnmxk.dll
c:\windows\system32\YyJjknpo.ini
c:\windows\system32\YyJjknpo.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_kungsflmcuamuo


((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 15:45 . 2009-06-16 16:00 19968 ----a-w- c:\windows\system32\SKYNETrk.sys
2009-06-16 15:45 . 2009-06-16 16:00 20992 ----a-w- c:\windows\system32\SKYNETwsp.dll
2009-06-15 19:00 . 2009-06-15 19:00 -------- d-----w- c:\windows\LastGood.Tmp
2009-06-12 22:23 . 2009-06-12 22:23 20992 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{9712BBE9-4516-2A2E-04D1-6834A19494F4}-kungsfbdmyujkc.dll
2009-06-12 22:23 . 2009-06-12 22:23 20992 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{59C1DFCE-B5AD-F204-C713-C7B4FA0CC422}-kungsfgowkdjel.dll
2009-06-12 22:23 . 2009-06-12 22:23 20992 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{1FC01D83-A72C-191B-F04F-A250D8669D88}-kungsfbdmyujkc.dll
2009-06-12 21:41 . 2009-06-12 21:41 -------- d-----w- c:\documents and settings\Administrator\.fltk
2009-06-04 08:39 . 2009-06-04 08:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-04 08:39 . 2009-06-04 08:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-04 02:01 . 2009-06-04 02:01 67072 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{B470AF1C-7D82-D436-3927-AAC25D7176A7}-kungsfwepljkjt.sys
2009-06-04 02:01 . 2009-06-04 02:01 22016 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{A454C2D7-3F0C-9F0E-8322-F01A6AC16D27}-kungsfgowkdjel.dll
2009-06-04 02:01 . 2009-06-04 02:01 19456 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{734DD65B-71DD-4569-B116-0A6CB4CD108C}-kungsfbdmyujkc.dll
2009-06-03 23:53 . 2009-06-03 23:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-29 04:19 . 2009-05-29 04:19 -------- d-sh--w- c:\documents and settings\Noel\IECompatCache
2009-05-29 03:58 . 2009-05-29 03:58 -------- d-sh--w- c:\documents and settings\Noel\PrivacIE
2009-05-25 15:04 . 2009-05-25 15:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-25 15:04 . 2009-05-25 15:04 -------- d-sh--w- c:\documents and settings\Noel\IETldCache
2009-05-25 06:44 . 2009-06-12 22:00 -------- d-----w- c:\windows\ie8updates
2009-05-25 06:43 . 2009-04-25 05:30 102400 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-05-25 06:39 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-05-25 06:39 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 19:01 . 2008-11-23 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-15 19:01 . 2006-12-09 11:03 -------- d-----w- c:\program files\Microsoft Works
2009-06-15 18:30 . 2009-01-11 04:25 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2009-05-29 18:46 . 2007-02-03 03:04 -------- d-----w- c:\documents and settings\Noel\Application Data\Azureus
2009-05-25 16:40 . 2006-12-26 04:46 91464 ----a-w- c:\documents and settings\Noel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 20:38 . 2006-12-26 05:36 32628 ----a-w- c:\documents and settings\Noel\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"MRT"="c:\windows\system32\MRT.exe" [2009-06-01 23635392]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-09-22 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-9 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
- - - - ORPHANS REMOVED - - - -

BHO-{8F8A7CE5-AFB9-4C8B-8BCF-2A747C3DA922} - c:\windows\system32\opnkjJyY.dll
HKLM-Run-16343434 - c:\documents and settings\All Users\Application Data\16343434\16343434.exe
HKLM-Run-96353426 - c:\documents and settings\All Users\Application Data\96353426\96353426.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-16 10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 16:33

Pre-Run: 42,086,821,888 bytes free
Post-Run: 42,043,281,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2009-06-15 19:02


SO now what? I'm not touching the thing till you tell me to :)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 16 June 2009 - 05:06 PM

Great job! :thumbup2:

Now that we've got rid of those nasty rootkit files, let's go back to malwarebytes.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 justtani

justtani
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 17 June 2009 - 12:48 PM

Hi, thank you so much for your help with my computer! You're amazing. My mum wanted me to post this last log just to make sure she did everything alright and there wasn't anything else she needed to do =)

Malwarebytes' Anti-Malware 1.37
Database version: 2293
Windows 5.1.2600 Service Pack 3

6/16/2009 11:36:53 PM
mbam-log-2009-06-16 (23-36-53).txt

Scan type: Quick Scan
Objects scanned: 90538
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\SKYNETrk.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETwsp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 18 June 2009 - 09:23 AM

If everything seems to be acting normally again let's go ahead and clean up and then I'll post some final recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 justtani

justtani
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 18 June 2009 - 08:27 PM

I did everything you suggested and while I wouldn't say it's as good as new, my computer is certainly running much better from what I can tell. Thank you again and again and again for all your help! I really appreciate you taking the time to help me. Thanks so much!

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:15 PM

Posted 19 June 2009 - 10:33 AM

I'm glad I could help you out! :thumbup2:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users