Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP!! PROTECTION SYSTEM ROGUE ANTI-VIRUS MALWARE MAKING ME INSANE!!!


  • This topic is locked This topic is locked
3 replies to this topic

#1 DannyGoncalves

DannyGoncalves

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 June 2009 - 02:14 AM

Hi, as you can see by my Topic title, I am ready to tear my hair out trying to get this computer back to normal so any help would be GREATLY appriciated. My computer seems to be infected with a rogue anti-virus called Protection System, and it causes fake Windows Security Alerts to pop up every so often with claims that my computer is infected. Most forums I go to tell me that people who have this Malware can't search for help on Google, this is true in my case to a certain degree. Before EVERY link on Google I clicked made a pop up coming up, leading to some AD website called windowsupdate.com or something like that, but now it doesnt do that, but some websites are blocked and I find ways around them. On top of that after a couple of hours or so depending on the time, a system shutdown will start to countdown. Now most times I can avert this by simply clicking cancel whenever the task manager pop ups start occuring telling me to End Now and stuff, but sometimes it goes through. Also sometimes i'll get a process called IEXPLORE.EXE which I know isn't the REAL iexplore.exe because 1 it's UPPER CASE and 2 I use Opera, and the IEXPLORE.EXE will play random audio clips of commercials and scenes and stuff like that and I have to end the processes from the Task Manager. Also I have weird processes like: wscsvc32.exe, g106p.exe, freddy41.exe etc etc. I downloaded Malwarebytes but I had to save it and run it from my external hard drive because if i save it on my normal hard drive it wont run, even when I rename the file and change the exe to .bat or .pif or something like that. I've run Malwarebytes, and Spyware Search and Destroy. they've all found problems and deleted them and the computer will be fixed to a certain degree but Malwarebytes will get rid of most of the problems and it says that it can't delete a file called uacinit.dll until I reboot the computer but when I do it just comes right backl, and the Protection System crap comes right back. I also have things like nudetube.com, pornotube.com and other icons of that nature that keep showing up on my desktop everytime I reboot the computer. Everyone tells me to run Combofix but I know not to run that without someone helping me throughout the way first so IF ANYONE CAN HELP ME IT WOULD BE GREATLY APPRICIATED!!!!

Here's my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:56 AM, on 6/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\ld11.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\freddy47.exe
C:\Documents and Settings\Compaq_Owner\reader_s.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
C:\Documents and Settings\Compaq_Owner\reader_s.exe
C:\Program Files\Belkin 2\F5D 9050\Belkinwcui.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.bat.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [3296] C:\WINDOWS\system32\5.tmp.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld11.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy47.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe (User '?')
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\g1o6p.exe (User '?')
O4 - HKUS\S-1-5-21-1320004798-1412856269-1813535410-1009\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Compaq_Owner\reader_s.exe (User 'Default user')
O4 - S-1-5-21-1320004798-1412856269-1813535410-1009 Startup: Compaq Organize.lnk = ? (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin 2\F5D 9050\Belkinwcui.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: __c006AA6A - C:\WINDOWS\system32\__c006AA6A.dat (file missing)
O20 - Winlogon Notify: __c00CE870 - C:\WINDOWS\system32\__c00CE870.dat (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11620 bytes

PLEASE PEOPLE ONCE AGAIN ANY HELP WOULD BE HIGHLY APPRICIATED!! I'M DOWN TO MY LAST RESORT HERE!

BC AdBot (Login to Remove)

 


#2 DannyGoncalves

DannyGoncalves
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 26 June 2009 - 02:21 AM

Also here is my Malwarebytes LOG as well:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/26/2009 3:15:19 AM
mbam-log-2009-06-26 (03-15-19).txt

Scan type: Quick Scan
Objects scanned: 116506
Time elapsed: 14 minute(s), 27 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 43

Memory Processes Infected:
C:\WINDOWS\freddy47.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Compaq_Owner\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006aa6a (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00ce870 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf7husjnfg98gi498aejhiugjkdg4 (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Compaq_Owner\reader_s.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\E.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\local settings\temporary internet files\Content.IE5\D7DMRF0A\mal[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\program files\protection system\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\support.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\unreg.html (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\delete.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\info.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\plus_circle.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\tick.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\warn.png (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\offline.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\online.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\Help\images\buttons\voice.gif (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\g1o6p.exe (Trojan.Downloader) -> Delete on reboot.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy47.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ld11.exe (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\higeorge12.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\him2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

Hello DannyGoncalves,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 26 June 2009 - 02:29 PM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:41 AM

Posted 30 June 2009 - 08:11 PM

Hello DannyGoncalves,

Posted Image

Sorry about the delay.:thumbup2: I'm afraid it isn't good news. :)

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:41 AM

Posted 06 July 2009 - 06:52 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users