Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Security and other issues [Moved]


  • Please log in to reply
91 replies to this topic

#1 milz45

milz45

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 17 July 2009 - 06:46 AM

My computer is basically a mess right now. I found out I had System Security spyware on my computer, so following the bleepingcomputer post for this issue, I downloaded Process Explorer to kill it. I have a very short time period when I first boot (about 5 seconds) where I can open PE, search for the #########.exe that is System Security and kill it. Even then it will often open back up again and I have to be quick about killing it or else it will close PE and not allow me to run anything. Even after it's killed though the computer is VERY slow and I get hundreds of these Symantec pop-ups about proxy errors, like an email was unsuccessfully sent. Working through all this I've managed to download and update Malwarebyte, but I can't run it. I've tried renaming the setup file, the folder, and the .exe, but it won't complete a scan. On a rare occasion I can actually get the program to open and start a quick scan, then after about 10 seconds it just closes. Then trying to open the .exe again results in an error about the path and permissions to open the program, so I have to start over from the setup file. I've all but given up on getting Malwarebytes to run. I successfully downloaded SuperAntiSpyware last night and let it scan. After over 12hrs running it had only scanned 316 files. It did say it found a trojan, though. It's actually still running now. Oh, and I cannot boot the computer in Safe Mode unfortunately, so to try anything I have restart and go through the whole process again. Also noticed that occassionaly a snippet of a commercial will play through my speakers ... it's really a wreck. I tried downloading HJT this morning but it was taking forever just for an IE window to open. Any help would greatly be appreciated. I just don't know what else to do at this point ... it's pretty much a boat anchor.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:48 AM

Posted 17 July 2009 - 09:54 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:48 AM

Posted 17 July 2009 - 01:08 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 17 July 2009 - 09:05 PM

It was a bear getting this but here is the smitfraudfix file. ALso, my computer now occasionally opens an IE window and tries to connect to an IP address (65.60.39.52). Should this concern me?

SmitFraudFix v2.423

Scan done at 19:08:31.32, Fri 07/17/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\msxml71.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\LOCALS~1\Temp

C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"="rtasgvfu76ew8ndkfno94"

[HKEY_CLASSES_ROOT\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A36D2A01-00F3-42BD-F434-00BBC39C8953}"="kjhsf87fhjdsfn93rjkndfdf"

[HKEY_CLASSES_ROOT\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\drivers\\smss.exe"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#5 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 17 July 2009 - 09:09 PM

forgot to mention that I kept getting a "Registry editting has been disabled by your administrator" pop-up during the process.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:48 AM

Posted 17 July 2009 - 09:33 PM

Our next step

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 July 2009 - 08:10 AM

My computer won't let me boot in safe mode.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:48 AM

Posted 18 July 2009 - 11:54 AM

Please run the fix in regular mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 19 July 2009 - 08:47 AM

Now when I try to get on, I still open process explorer and kill system security but then it reboots my pc a few minutes later. Not time enough to run the application. Is there something else I should be looking for to kill in process explorer? The are 2 exe's I don't recognize in the form of ###.exe. Are these bad?

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:48 AM

Posted 19 July 2009 - 09:33 AM

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#11 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 July 2009 - 08:41 PM

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a 2.99 Hardware Interrupts
DPCs n/a 5.97 Deferred Procedure Calls
System 4
smss.exe 328 Windows NT Session Manager Microsoft Corporation
csrss.exe 388 1.49 Client Server Runtime Process Microsoft Corporation
winlogon.exe 444 Windows NT Logon Application Microsoft Corporation
services.exe 492 1.49 Services and Controller app Microsoft Corporation
ati2evxx.exe 676 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 696 Generic Host Process for Win32 Services Microsoft Corporation
iexplore.exe 4608 Internet Explorer Microsoft Corporation
iexplore.exe 5184 Internet Explorer Microsoft Corporation
hpgs2wnf.exe 5192 hpgs2wnf Module
iexplore.exe 5896 5.97 Internet Explorer Microsoft Corporation
rapimgr.exe 5328 ActiveSync RAPI Manager Microsoft Corporation
svchost.exe 752 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 836 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1064 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1080 Generic Host Process for Win32 Services Microsoft Corporation
CCSETMGR.EXE 1388 Common Client Settings Manager Service Symantec Corporation
symlcsvc.exe 1400 Symantec Core Component Symantec Corporation
CCEVTMGR.EXE 1444 Common Client Event Manager Service Symantec Corporation
spoolsv.exe 1596 Spooler SubSystem App Microsoft Corporation
svchost.exe 1712 Generic Host Process for Win32 Services Microsoft Corporation
AluSchedulerSvc.exe 140 Automatic LiveUpdate Scheduler Service Symantec Corporation
IntuitUpdateService.exe 356 Intuit Update Service Intuit Inc.
retrorun.exe 828 Retrospect Dantz Development Corporation
svchost.exe 928 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 944 5.97 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1004 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2416 4.48 Generic Host Process for Win32 Services Microsoft Corporation
wdsvc.exe 2500 Retrospect Dantz Development Corporation
SAVSCAN.EXE 2528 Symantec AntiVirus Scanner Symantec Corporation
svchost.exe 2544 5.97 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 3180 2.99 Generic Host Process for Win32 Services Microsoft Corporation
ULCDRSvr.exe 3216 ULCDRSvr Ulead Systems, Inc.
svchost.exe 3260 Generic Host Process for Win32 Services Microsoft Corporation
SymWSC.exe 3568 Norton Security Center Service Symantec Corporation
svchost.exe 7324 Generic Host Process for Win32 Services Microsoft Corporation
savedump.exe 508 Windows NT Save Dump Utility Microsoft Corporation
lsass.exe 516 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 900 ATI External Event Utility EXE Module ATI Technologies Inc.
smss.exe 1212 5.97 Freeware Promotion PROMO Software
explorer.exe 1252 1.49 Windows Explorer Microsoft Corporation
601.exe 4572
procexp.exe 4764 5.97 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
hpgs2wnd.exe 5048 hpgs2wnd Hewlett-Packard
HpqCmon.exe 5224 HpqCmon MFC Application
kbd.exe 5332 KBD EXE Hewlett-Packard Company
sgtray.exe 5772 VERITAS Update Manager VERITAS Software, Inc.
nwiz.exe 5796 NVIDIA nView Wizard, Version 31.90 NVIDIA Corporation
dwwin.exe 5152 Microsoft Application Error Reporting Microsoft Corporation
CFD.exe 5904 2.99
atiptaxx.exe 5932 ATI Desktop Control Panel ATI Technologies, Inc.
Directcd.exe 3752 DirectCD Application Roxio
qttask.exe 4032 QuickTime Task Apple Computer, Inc.
Saimon.exe 3788
WDBtnMgr.exe 4220 WD Button Manager Western Digital Technologies, Inc.
SetIcon.exe 4672 Custom Icons Application For USB Drives Standard Microsystems Corp.
CCAPP.EXE 4888 Common Client User Session Symantec Corporation
reader_s.exe 4976 ASF Error Definitions Microsoft Corporation
svchost.exe 5340 Generic Host Process for Win32 Services Microsoft Corporation
winsystem.exe 4860
msmsgs.exe 5216 Windows Messenger Microsoft Corporation
CTSyncU.exe 5128 Sync Manager
GoogleToolbarNotifier.exe 5384 GoogleToolbarNotifier Google Inc.
wcescomm.exe 5788 ActiveSync Connection Manager Microsoft Corporation
ISUSPM.exe 3728 Macrovision Software Manager Macrovision Corporation
TeaTimer.exe 3680 System settings protector Safer-Networking Ltd.
reader_s.exe 3588 ASF Error Definitions Microsoft Corporation
svchost.exe 4048 Generic Host Process for Win32 Services Microsoft Corporation
winlogon.exe 3632
pqlmq.exe 5060
re14g61ki.exe 4944
re14g61ki.exe 204
msa.exe 4684
zyrvyol.exe 3652
SASW.exe 5768 SUPERAntiSpyware Application SUPERAntiSpyware.com
rundll32.exe 5000 Run a DLL as an App Microsoft Corporation
24796838.exe 7300 16.42
reader_sl.exe 4460 Adobe Acrobat SpeedLauncher Adobe Systems Incorporated
hpobrt07.exe 3724 25.37 HP OfficeJet COM Device Objects Hewlett-Packard Co.
SetPoint.exe 6312 Logitech SetPoint Event Manager (UNICODE) Logitech, Inc.
iexplore.exe 6640 Internet Explorer Microsoft Corporation
ihaupd32.exe 6972 Dkewupucjw urehu Gtjjduy Hjwdohjjkeq
dwwin.exe 7308 1.49 Microsoft Application Error Reporting Microsoft Corporation
notmgr.exe 7028 2.99 Red Chair Manager Red Chair Software, Inc.
zqosys32.exe 7056 Kkjqjnykoz yxufu Gfbarju Gjmcetemkos
services.exe 4912
csrss.exe 4956
smss.exe 5080
winlogon.exe 5132
zyrvyol.exe 5236
b.exe 4384
system.exe 7040
system.exe 7048
winamp.exe 7080
winamp.exe 7096
setup.exe 7184
setup.exe 7192
cmd.exe 7232 Windows Command Processor Microsoft Corporation
net.exe 7352 Net Command Microsoft Corporation

#12 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 July 2009 - 09:18 PM

Alright, I was finally able to run a 'clean' with smitfraud, although I'm not sure it did anything. Throughout the process I kept getting notification that "registry editting has been disabled by my admin". The scan ran, then rebooted, and system security still tried to fire up (although I was able to kill it quickly with pe). Still getting tons of Symantec Proxy Email pop-ups. Here's the report from smitfraud, after that is a new log from pe. I may try to run malwarebytes as well. (by the way, thank you so much for looking at this and helping me)

SmitFraudFix v2.423

Scan done at 21:43:47.73, Mon 07/20/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"="rtasgvfu76ew8ndkfno94"

[HKEY_CLASSES_ROOT\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A36D2A01-00F3-42BD-F434-00BBC39C8953}"="kjhsf87fhjdsfn93rjkndfdf"

[HKEY_CLASSES_ROOT\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\msxml71.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

Problem while deleting C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D76AB2A1-00F3-42BD-F434-00BBC39C8953}"="rtasgvfu76ew8ndkfno94"

[HKEY_CLASSES_ROOT\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D76AB2A1-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\gsf83iujid.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A36D2A01-00F3-42BD-F434-00BBC39C8953}"="kjhsf87fhjdsfn93rjkndfdf"

[HKEY_CLASSES_ROOT\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A36D2A01-00F3-42BD-F434-00BBC39C8953}\InProcServer32]
@="C:\WINDOWS\system32\ghaf8jkdfd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe Deleted


»»»»»»»»»»»»»»»»»»»»»»»» End

#13 milz45

milz45
  • Topic Starter

  • Members
  • 130 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 July 2009 - 09:19 PM

Here's the process explorer log ...

Process PID CPU Description Company Name
System Idle Process 0 30.95
Interrupts n/a 0.82 Hardware Interrupts
DPCs n/a 5.52 Deferred Procedure Calls
System 4 0.82
smss.exe 332 Windows NT Session Manager Microsoft Corporation
csrss.exe 392 1.63 Client Server Runtime Process Microsoft Corporation
winlogon.exe 436 Windows NT Logon Application Microsoft Corporation
services.exe 492 0.10 Services and Controller app Microsoft Corporation
ati2evxx.exe 660 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 684 Generic Host Process for Win32 Services Microsoft Corporation
hpgs2wnf.exe 3788 hpgs2wnf Module
rapimgr.exe 4604 ActiveSync RAPI Manager Microsoft Corporation
hpoevm07.exe 3680 0.10 HP OfficeJet COM Event Manager Hewlett-Packard Co.
hposts07.exe 292 HP OfficeJet Status Hewlett-Packard Co.
iexplore.exe 6748 0.31 Internet Explorer Microsoft Corporation
svchost.exe 744 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1128 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1240 Generic Host Process for Win32 Services Microsoft Corporation
CCSETMGR.EXE 1300 Common Client Settings Manager Service Symantec Corporation
svchost.exe 1328 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1356 7.87 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1368 Generic Host Process for Win32 Services Microsoft Corporation
symlcsvc.exe 132 Symantec Core Component Symantec Corporation
svchost.exe 176 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 560 Generic Host Process for Win32 Services Microsoft Corporation
CCEVTMGR.EXE 1088 Common Client Event Manager Service Symantec Corporation
svchost.exe 1160 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 2468 Spooler SubSystem App Microsoft Corporation
svchost.exe 2536 Generic Host Process for Win32 Services Microsoft Corporation
AluSchedulerSvc.exe 2692 0.10 Automatic LiveUpdate Scheduler Service Symantec Corporation
expIorer.exe 3892 0.31 Microsoft Corporation
IntuitUpdateService.exe 3944 Intuit Update Service Intuit Inc.
retrorun.exe 1000 Retrospect Dantz Development Corporation
wdsvc.exe 4496 0.10 Retrospect Dantz Development Corporation
SAVSCAN.EXE 4608 0.72 Symantec AntiVirus Scanner Symantec Corporation
svchost.exe 4912 1.43 Generic Host Process for Win32 Services Microsoft Corporation
ULCDRSvr.exe 5068 ULCDRSvr Ulead Systems, Inc.
SymWSC.exe 5452 Norton Security Center Service Symantec Corporation
LUCOMS~1.EXE 6900 0.17
lsass.exe 508 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 888 ATI External Event Utility EXE Module ATI Technologies Inc.
smss.exe 1188 1.33 Freeware Promotion PROMO Software
explorer.exe 1348 0.31 Windows Explorer Microsoft Corporation
hpgs2wnd.exe 160 hpgs2wnd Hewlett-Packard
HpqCmon.exe 2124 HpqCmon MFC Application
kbd.exe 2564 KBD EXE Hewlett-Packard Company
sgtray.exe 2600 VERITAS Update Manager VERITAS Software, Inc.
CFD.exe 2616
atiptaxx.exe 2624 ATI Desktop Control Panel ATI Technologies, Inc.
Directcd.exe 2668 DirectCD Application Roxio
qttask.exe 676 QuickTime Task Apple Computer, Inc.
Saimon.exe 3440
WDBtnMgr.exe 984 0.10 WD Button Manager Western Digital Technologies, Inc.
SetIcon.exe 864 Custom Icons Application For USB Drives Standard Microsystems Corp.
CCAPP.EXE 3724 0.51 Common Client User Session Symantec Corporation
procexp.exe 4116 1.94 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
reader_s.exe 4172 ASF Error Definitions Microsoft Corporation
svchost.exe 5004 Generic Host Process for Win32 Services Microsoft Corporation
winsystem.exe 4220 0.10
msmsgs.exe 4288 Windows Messenger Microsoft Corporation
CTSyncU.exe 4356 0.20 Sync Manager
GoogleToolbarNotifier.exe 4376 0.10 GoogleToolbarNotifier Google Inc.
wcescomm.exe 4424 ActiveSync Connection Manager Microsoft Corporation
ISUSPM.exe 4532 Macrovision Software Manager Macrovision Corporation
TeaTimer.exe 4636 38.92 System settings protector Safer-Networking Ltd.
reader_s.exe 4660 ASF Error Definitions Microsoft Corporation
svchost.exe 5312 Generic Host Process for Win32 Services Microsoft Corporation
notepad.exe 4696
pqlmq.exe 4720
re14g61ki.exe 4784
re14g61ki.exe 4792 0.10
zyrvyol.exe 4848
SASW.exe 4856 SUPERAntiSpyware Application SUPERAntiSpyware.com
rundll32.exe 4888 0.31 Run a DLL as an App Microsoft Corporation
36396858.exe 6884 0.37
cmd.exe 7016 0.10 Windows Command Processor Microsoft Corporation
cmd.exe 7052 0.10
cmd.exe 7136 0.41 Windows Command Processor Microsoft Corporation
40367138.exe 7008 0.20
41470349.exe 7124 0.31
reader_sl.exe 5036 Adobe Acrobat SpeedLauncher Adobe Systems Incorporated
hpobrt07.exe 5132 1.53 HP OfficeJet COM Device Objects Hewlett-Packard Co.
SetPoint.exe 5240 Logitech SetPoint Event Manager (UNICODE) Logitech, Inc.
KHALMNPR.exe 3832 Logitech KHAL Main Process Logitech, Inc.
iexplore.exe 5392 0.31 Internet Explorer Microsoft Corporation
notmgr.exe 5408 0.10 Red Chair Manager Red Chair Software, Inc.
012.exe 6444
833.exe 6452 0.20
msa.exe 2556 0.41
notepad.exe 3956 0.10 Notepad Microsoft Corporation
svchost.exe 4724 0.10 Generic Host Process for Win32 Services Microsoft Corporation
smss.exe 6564
mdm.exe 6620
winlogon.exe 6628
lsass.exe 6652
svchost.exe 6792 0.10
services.exe 6800
system.exe 6824
setup.exe 6912 0.72

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:48 AM

Posted 21 July 2009 - 03:46 AM

I am afraid I have some real bad news

http://www.bleepingcomputer.com/startups/r....exe-24581.html
Chewy

No. Try not. Do... or do not. There is no try.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:48 AM

Posted 21 July 2009 - 04:03 AM

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users