Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SystemSecurity2009 infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 geminisrevenge

geminisrevenge

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 07 July 2009 - 06:39 PM

I've been trying to fix my parents' computer that is rampant with spyware. Spybot and MalwareBytes will remove but then they come back. The SystemSecurity2009 locks down the computer, changes the desktop wallpaper to a warning message ("warning! you're in danger!") and won't let you use the computer at all, unless you want to purchase their product. I disabled 14524684.exe in msconfig and the wallpaper is back to normal and the computer is "functional" for the moment, but I'd like to get this truly fixed. Below is my DDS.txt and the attach.txt is attached.
Thanks,
Michelle


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 19:23:17.85 on Tue 07/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1362 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe -k imgsvc
C:\WINNT\wanmpsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
IE: &Search - ?p=ZU
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\winnt\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - hxxp://www.mtv.com/overdrive/bin/setup.exe
DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} -

hxxp://portal.uga.edu/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://download.yahoo.com/dl/installs/yinst.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://www.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab53984.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} - hxxp://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab
DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} - hxxp://autos.msn.com/Components/Ocx/Exterior/Outside.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - hxxp://www.linksysfix.com/netcheck/24/install/gtdownls.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\default.s7k\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\default.s7k\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07130

3000006.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_03050024.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-3-22 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-3-22 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-3-22 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-18 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-22 298776]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-12-10 6736]
R2 WinDriver;WinDriver;c:\winnt\system32\drivers\windrvr.sys [2003-4-30 205188]
S2 6to4Alerter;IPv6 Helper Service 6to4Alerter;c:\winnt\system32\f.exe service --> c:\winnt\system32\f.exe service [?]
S2 muqtdygyvsfih;muqtdygyvsfih;\??\c:\winnt\system32\drivers\rrzcqoum.sys --> c:\winnt\system32\drivers\rrzcqoum.sys [?]
S2 WGKWJWYT;WGKWJWYT;\??\c:\winnt\system32\wgkwjwyt.yzj --> c:\winnt\system32\wgkwjwyt.yzj [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-07-07 19:14 <DIR> --d----- c:\program files\Trend Micro
2009-07-07 11:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14524684
2009-07-05 15:06 213,024 a------- c:\winnt\system32\drivers\str.sys
2009-06-18 08:14 <DIR> --d----- c:\docume~1\owner\applic~1\Research In Motion
2009-06-18 08:14 <DIR> --d----- c:\program files\Research In Motion
2009-06-18 08:14 <DIR> --d----- c:\program files\common files\Research In Motion
2009-06-18 08:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Research In Motion

==================== Find3M ====================

2009-07-06 08:14 335,752 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-06-03 20:21 50,964 a---h--- c:\winnt\system32\mlfcache.dat
2009-06-02 16:53 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-06-02 16:53 108,552 a------- c:\winnt\system32\drivers\avgtdix.sys
2009-05-26 13:20 40,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-05-07 11:44 344,064 a------- c:\winnt\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\winnt\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\winnt\system32\wininet.dll
2009-04-29 00:56 827,392 -------- c:\winnt\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 -------- c:\winnt\system32\dllcache\webcheck.dll
2009-04-29 00:56 44,544 a------- c:\winnt\system32\dllcache\pngfilt.dll
2009-04-29 00:56 1,159,680 -------- c:\winnt\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 -------- c:\winnt\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 -------- c:\winnt\system32\dllcache\url.dll
2009-04-29 00:56 102,912 -------- c:\winnt\system32\dllcache\occache.dll
2009-04-29 00:56 3,596,288 -------- c:\winnt\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 -------- c:\winnt\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 -------- c:\winnt\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 -------- c:\winnt\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\winnt\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 -------- c:\winnt\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 -------- c:\winnt\system32\dllcache\ieakui.dll
2009-04-17 05:58 1,846,656 a------- c:\winnt\system32\win32k.sys
2009-04-17 05:58 1,846,656 -------- c:\winnt\system32\dllcache\win32k.sys
2009-04-15 11:11 584,192 a------- c:\winnt\system32\rpcrt4.dll
2009-04-15 11:11 584,192 -------- c:\winnt\system32\dllcache\rpcrt4.dll
2009-02-27 00:12 66,392 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2003-01-02 18:15 1,803,464 a------- c:\program files\Winzip.exe
2002-12-13 20:47 2,598,120 a------- c:\program files\aim.exe

============= FINISH: 19:26:15.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 AM

Posted 16 July 2009 - 09:53 AM

Hello, geminisrevenge.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:12:10 AM

Posted 19 July 2009 - 04:27 AM

Hello geminisrevenge
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:10 PM

Posted 21 July 2009 - 02:32 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users