Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"PC Security 2009" even peskier


  • This topic is locked This topic is locked
3 replies to this topic

#1 The Flying Burrito

The Flying Burrito

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 14 July 2009 - 03:50 PM

So I read this site's article relating to PC Security 2009. I downloaded Malwarebyte's Antimalware software. when it launches, everything's fine, but as soon as I perform a quick scan, the program self destructs, essentially. After this, I cannot run MBAM because apparently "Windows doesn't have permission" or something along those lines. I think it might be related to PC Security as this is the only trojan I currently have on my computer. I've dealt with it before on another computer of mine but this time it has been more aggressive.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Cameron at 16:39:08.89 on Tue 07/14/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program fileswindows live toolbarmsntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program fileswindows live toolbarmsntb.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:program filesaskbardisbarbinaskBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Aim6]
uRun: [braviax] c:windowssystem32braviax.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [AsusTray] c:program fileseeepcacpiAsTray.exe
mRun: [AsusACPIServer] c:program fileseeepcacpiAsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:program fileseeepcacpiAsEPCMon.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_03binjusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ETDWare] c:program fileselantechETDCtrl.exe
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [mcagent_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
mRun: [braviax] c:windowssystem32braviax.exe
mRun: [sysldtray] c:windowsld12.exe
mRun: [PC Security 2009] "c:program filespc_security2009PC_Security2009.exe" /hide
mRunOnce: [Malwarebytes' Anti-Malware] c:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
StartupFolder: c:docume~1cameronstartm~1programsstartupstarof~1.lnk - c:program filessunstaroffice 8programquickstart.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupsuperh~1.lnk - c:program filesasuseeepcsuper hybrid engineSuperHybridEngine.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Windows Live Search - c:program fileswindows live toolbarmsntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm
IE: Send To Bluetooth - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-14 16:33 <DIR> --d----- c:program filesPC_Security2009
2009-07-14 16:08 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-07-14 16:08 19,096 a------- c:windowssystem32driversmbam.sys
2009-07-14 16:08 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-07-14 16:00 687,104 a------- c:windowsisRS-000.tmp
2009-07-14 15:50 2 a------- c:windows0101120101464849.dat
2009-07-14 15:49 236,927 a------- c:windowssystem32wisdstr.exe
2009-07-14 15:48 2 a------- c:windows010112010146118114.dat
2009-07-14 15:48 0 a------- C:vphih.exe
2009-07-14 15:48 0 a------- C:rtdasr.exe
2009-07-14 15:48 0 a------- C:myacngu.exe
2009-07-14 15:48 29,184 a------- C:gfub.exe
2009-07-14 15:48 2 a------- C:-2079222618
2009-07-14 15:48 11,264 a------- C:benfuse.exe
2009-07-14 15:48 27,648 a------- c:windowsld12.exe
2009-07-14 15:48 8,704 a------- c:windowssystem32braviax.exe
2009-07-12 18:30 <DIR> --d----- c:docume~1cameronapplic~1Malwarebytes
2009-07-12 18:30 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-07-11 19:43 <DIR> --dsh--- c:documents and settingscameronIECompatCache
2009-07-11 19:42 0 a------- c:windowssrn_1247355728.exe
2009-07-11 15:05 <DIR> --dsh--- c:documents and settingscameronPrivacIE
2009-07-11 14:53 <DIR> --dsh--- c:documents and settingscameronIETldCache
2009-07-11 14:51 102,912 -c------ c:windowssystem32dllcacheiecompat.dll
2009-07-11 14:51 <DIR> --d----- c:windowsie8updates
2009-07-11 14:51 12,800 -c------ c:windowssystem32dllcachexpshims.dll
2009-07-11 14:51 246,272 -c------ c:windowssystem32dllcacheieproxy.dll
2009-07-11 14:48 <DIR> -cd-h--- c:windowsie8
2009-07-11 14:43 118 a------- c:windowssystem32MRT.INI
2009-07-11 14:27 29 a------- c:windowssrn_1247336860.exe
2009-07-11 13:39 2,560 -------- c:windowssystem32xpsp4res.dll
2009-07-10 22:33 19,643 a------- c:windowskirohuha._dl
2009-07-10 22:33 16,215 a------- c:windowssystem32ipim._sy
2009-07-10 22:33 15,771 a------- c:windowssystem32ugypuhu.db
2009-07-10 22:33 15,454 a------- c:windowsrynasemo.scr
2009-07-10 22:33 14,275 a------- c:docume~1cameronapplic~1gezameh.scr
2009-07-10 22:33 13,820 a------- c:windowsjiluvupig.dl
2009-07-10 22:33 12,489 a------- c:windowsojugihimy.sys
2009-07-10 22:33 11,022 a------- c:docume~1cameronapplic~1ojyvemo.scr
2009-07-10 22:33 10,445 a------- c:program filescommon filesmicawi.vbs
2009-07-10 22:33 10,166 a------- c:program filescommon fileszecybu.com
2009-07-10 22:33 16,510 a------- c:windowsebogas.sys
2009-07-10 22:33 14,539 a------- c:windowssystem32pisomyq.db
2009-07-10 22:30 <DIR> --d----- c:windowssystem32PreInstall
2009-07-10 21:45 <DIR> --d----- c:program filesHalf-Life
2009-07-10 18:28 208,744 a------- c:windowssystem32muweb.dll
2009-07-10 18:28 27,496 a------- c:windowssystem32mucltui.dll.mui
2009-07-10 18:28 268,648 a------- c:windowssystem32mucltui.dll
2009-07-10 18:20 <DIR> --d----- c:program filesYahoo!
2009-07-03 23:34 344,064 a------- c:windowssystem32msvcr70.dll
2009-07-03 23:34 <DIR> --d----- c:program filescommon filesDVDVideoSoft
2009-07-03 23:34 <DIR> --d----- c:program filesDVDVideoSoft
2009-07-03 14:22 <DIR> --d----- c:docume~1cameronapplic~1FrostWire
2009-07-03 14:21 <DIR> --d----- c:program filesFrostWire
2009-07-03 14:21 <DIR> --d----- c:program filesAskBarDis
2009-07-03 12:55 40,552 a------- c:windowssystem32driversmfesmfk.sys
2009-07-03 12:55 79,816 a------- c:windowssystem32driversmfeavfk.sys
2009-07-03 12:55 35,272 a------- c:windowssystem32driversmfebopk.sys
2009-07-03 12:55 120,136 a------- c:windowssystem32driversMpfp.sys
2009-07-03 12:54 <DIR> --d----- c:program filescommon filesMcAfee
2009-07-03 12:54 <DIR> --d----- c:program filesMcAfee.com
2009-07-03 12:54 <DIR> --d----- c:program filesMcAfee
2009-07-03 12:25 34,248 a------- c:windowssystem32driversmferkdk.sys
2009-06-28 23:23 <DIR> --d----- c:docume~1alluse~1applic~1Viewpoint
2009-06-28 23:23 <DIR> --d----- c:program filesViewpoint
2009-06-28 23:23 <DIR> --d----- c:docume~1alluse~1applic~1acccore
2009-06-28 23:23 <DIR> --d----- c:program filescommon filesAOL
2009-06-28 23:23 <DIR> --d----- c:program filesAIM6
2009-06-28 23:23 454 a---h--- C:IPH.PH
2009-06-28 21:56 <DIR> --d----- c:documents and settingscameronBluetooth Software
2009-06-28 21:56 <DIR> --d----- c:docume~1cameronapplic~1StarOffice8
2009-06-28 21:56 <DIR> --d----- c:documents and settingsCameron

==================== Find3M ====================

2009-07-10 22:33 14,101 a------- c:program filescommon filesqulyc.inf
2009-07-10 22:33 10,971 a------- c:program filescommon filesolyw.lib
2009-06-16 10:36 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 10:36 81,920 a------- c:windowssystem32fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:windowssystem32quartz.dll
2009-05-13 01:15 915,456 a------- c:windowssystem32wininet.dll
2009-05-07 11:32 345,600 a------- c:windowssystem32localspl.dll
2009-04-17 08:26 1,847,168 a------- c:windowssystem32win32k.sys
2008-05-07 04:34 15,523,560 a------- c:program filesU1 Setup.exe

============= FINISH: 16:39:51.35 ===============

forgot the Attach, I believe

Merged topics. ~ OB

Attached Files


Edited by Orange Blossom, 14 July 2009 - 11:05 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:09 AM

Posted 15 July 2009 - 08:07 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) If you still need help, please let me know by replying to this thread. :)

Please be advised, that I am still in training.
For your own protection, I may not offer you any advice without it being checked by more experienced helpers first. This can unfortunately lead to slight delays in the responses. However we are trying to help you as quickly as possible.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to analyse your logs, I will post back shortly.
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:09 AM

Posted 16 July 2009 - 02:27 AM

Hi The Flying Burrito, :thumbup2:

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case FrostWire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

You also have Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Please also uninstall the Ask Toolbar via Add/Remove.



Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • rename it to fun.exe
  • Temporarily disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools.
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  • Double click on fun.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Afterwards please run OTL and gmer:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Finally please post back with the log from Combofix, the 2 logs from OTL and the log from gmer and a description of how your PC is doing,
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:09 PM

Posted 21 July 2009 - 07:22 PM

Due to lack of feedback, this topic has been closed. Everyone else, please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users