Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Winifighter antivirus scam


  • This topic is locked This topic is locked
2 replies to this topic

#1 faery_gold

faery_gold

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 06 July 2009 - 09:12 AM

Hi,

My friend has a problem with his laptop. Two days ago Windows Security Center informed him that his laptop had various trojan's attacking it and suggested he download Winifighter to fix the problem. Obviously, once he started the Winifighter download it asked him to pay $50 so he cancelled the installation. Since then he has had constant security alerts (every 2 minutes) warning of virus attacks. I've tried to load malwarebytes, spybot and AVG free to get rid of the virus' but none of the software will load. I can get them to install but the application never opens. I'm at the end of my tether with this and so far I can't find a fix on the internet. Please help!! :thumbup2:


DDS (Ver_09-06-26.01) - NTFSx86
Run by user at 15:02:54.64 on 06/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.604 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\setup2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\sndvol32.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.alot.com/?client_id=9C925BC001C9E3AB000D2105&install_time=02-06-2009:18:57&src_id=11170&camp_id=427&tb_version=2.4.4.414
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: ALOT Toolbar BHO: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\alot.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [TransparentIcons]
uRun: [BlockAds]
uRun: [Tweak-XP]
uRun: [TransTask]
uRun: [setup2.exe] c:\windows\system32\setup2.exe
uRun: [WiniFighter] c:\program files\winifighter software\winifighter\WiniFighter.exe -min
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241863046062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.206,85.255.112.116
TCP: {3AE9D45E-864E-45C0-BCB8-A7661B29AB82} = 85.255.112.206,85.255.112.116
TCP: {B8514585-6D50-4780-9BCF-DEB2FA8A3884} = 85.255.112.206,85.255.112.116
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-4-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-4-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-4-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090625.003\IDSXpx86.sys [2009-7-2 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-4-20 115560]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-6-1 2368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-18 101936]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-10-21 87936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090703.049\NAVENG.SYS [2009-7-4 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090703.049\NAVEX15.SYS [2009-7-4 876144]

=============== Created Last 30 ================

2009-07-06 14:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-06 14:48 <DIR> --d----- c:\windows\ERUNT
2009-07-06 14:42 <DIR> --d----- C:\SDFix
2009-07-06 14:28 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-06 14:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-06 14:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 14:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-06 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-06 14:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 13:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-06 12:51 0 a------- c:\windows\system32\commonpriv.log.lock
2009-07-06 12:49 <DIR> --d----- c:\program files\AVG
2009-07-06 12:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-05 21:35 17,008 a------- c:\windows\19d09zr5600.dll
2009-07-03 06:37 5,817 a------- c:\windows\system32\5596zspy493.ocx
2009-07-02 00:34 15,506 a------- c:\windows\2080znot-a-9irus55b.dll
2009-07-01 13:34 17,802 a------- c:\windows\15659spambot3ez.ocx
2009-06-27 09:34 17,708 a------- c:\windows\14zot-a-viru53a9.cpl
2009-06-26 06:14 9,664 a------- c:\windows\system32\6e36s5z9se2483.exe
2009-06-25 13:22 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-06-25 13:21 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-06-25 13:13 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-25 13:13 <DIR> --d----- c:\windows\ie8updates
2009-06-25 13:13 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-25 13:13 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-25 13:10 <DIR> -cd-h--- c:\windows\ie8
2009-06-25 06:31 13,806 a------- c:\windows\3z22wo9m65.exe
2009-06-23 20:47 12,488 a------- c:\windows\908b5ck9zor1554.dll
2009-06-23 20:13 2,930 a------- c:\windows\system32\6588steal2z96.dll
2009-06-22 08:32 13,908 a------- c:\windows\system32\19765szy359.exe
2009-06-20 03:23 11,553 a------- c:\windows\system32\5e8cbzckdoor1939.exe
2009-06-17 12:39 8,988 a------- c:\windows\3z41th9ef315.exe
2009-06-17 02:43 9,042 a------- c:\windows\system32\c9d5hrza94083.dll
2009-06-16 18:38 8,800 a------- c:\windows\29231hazktool25b.ocx
2009-06-16 14:08 10,666 a------- c:\windows\system32\77bazir5956.cpl
2009-06-15 02:10 8,536 a------- c:\windows\system32\z929sparse1957.exe
2009-06-13 19:50 10,282 a------- c:\windows\system32\5a2fa95ware1800z.ocx
2009-06-13 11:10 11,428 a------- c:\windows\system32\z6195hief196.ocx
2009-06-13 02:02 15,381 a------- c:\windows\system32\z7505troj9e0.bin
2009-06-11 17:40 3,334 a------- c:\windows\system32\7dd9downz5ader1355.exe
2009-06-10 05:25 18,099 a------- c:\windows\system32\115z19irus465.dll
2009-06-07 00:24 7,517 a------- c:\windows\system32\9128tr5z8b.bin

==================== Find3M ====================

2009-06-06 13:08 15,531 a------- c:\windows\system32\26734virzs59c.exe
2009-06-04 09:02 9,219 a------- c:\windows\system32\1z159virus157.dll
2009-06-02 11:19 2,826 a------- c:\windows\276599rzj559.dll
2009-06-01 14:52 2,368 a------- c:\windows\system32\SVKP.sys
2009-06-01 13:32 5,735,304 a------- C:\Pareto_PC_Setup_RW.exe
2009-06-01 12:02 1,431,504 a------- C:\RegCureSetup_RW.exe
2009-05-25 11:17 16,079 a------- c:\windows\system32\7999th5ef3125z.exe
2009-05-22 00:39 15,332 a------- c:\windows\5907ad5warz786.bin
2009-05-21 13:23 11,157 a------- c:\windows\system32\1644395rusz94.bin
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 15:33 17,905 a------- c:\windows\system32\2f399ddwzr52133.dll
2009-05-20 09:22 15,078 a------- c:\windows\z1a6vi91905.exe
2009-05-20 04:26 16,815 a------- c:\windows\3019595rmb0z.bin
2009-05-19 13:37 15,797 a------- c:\windows\system32\62ee59wnlozder861.dll
2009-05-16 23:29 2,989 a------- c:\windows\5c95vir2537z.dll
2009-05-16 18:04 13,580 a------- c:\windows\659at9zeat30691.bin
2009-05-15 18:50 12,448 a------- c:\windows\958z6spy787.exe
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-11 18:55 14,251 a------- c:\windows\7b9vzr5131.bin
2009-05-09 21:03 9,280 a------- c:\windows\176z1sp5339.exe
2009-05-09 17:36 11,460 a------- c:\windows\906no9-azvir5s51a.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 12:11 12,770 a------- c:\windows\system32\1431s9a5sz1209.exe
2009-04-29 00:38 9,378 a------- c:\windows\19334s9y5az.bin
2009-04-25 07:46 12,879 a------- c:\windows\986fz5eal564.bin
2009-04-22 05:01 10,462 a------- c:\windows\1ze95ownloader2865.dll
2009-04-20 13:12 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-18 02:09 15,289 a------- c:\windows\267z1h5cktool1c39.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-16 05:10 13,741 a------- c:\windows\z3900troj78d5.dll
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-14 03:58 9,900 a------- c:\windows\70e7adzw9re19485.dll
2009-04-13 17:55 16,854 a------- c:\windows\system32\5c27threatz82319.exe
2009-04-12 12:05 16,130 a------- c:\windows\4zc6t9ie52096.dll
2009-04-09 06:53 13,381 a------- c:\windows\53508not9z-virus3b4.exe
2003-03-16 03:00 7,216 a------- c:\windows\inf\RAMDISK.SYS

============= FINISH: 15:03:06.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 09 July 2009 - 01:07 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 20 July 2009 - 04:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users