Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ~~~Protection System~~~ Windows XP MCE


  • This topic is locked This topic is locked
2 replies to this topic

#1 ohyesitstrue

ohyesitstrue

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 24 July 2009 - 12:39 AM

I am infected with what I believe to be is the Protection System virus/malware. It looks almost identical to Windows Security Center and I get about 3 or 4 different "alerts" from it wanting me to enable protection or install now. It also put a few porn icons on my desktop and will install itself on its own every once in awhile after I delete it. When it installs it tries to delete all my antivirus software. So I tried deleting it and running McAfee last night but neither worked so I ended up doing a system recovery (I think the virus deleted, or blocked, my restore points as well as the partitioned space on my hard drive for restores/recovery but I was able to perform it from the start up screen with F10) but I still have the darn thing on my computer.

It has taken me all day to find out info on this thing because it also blocks any programs or websites that have anything to do with getting rid of it. It even blocks it in safe mode. But finally thanks to a guide I read on this site I was able to run Malwarebytes by changing the name in its program files folder.

I ran a quick scan in safe mode and thought I had gotten rid of it since it found and quarantined 22 items but after the restart it was still there. Then nothing shows up when I run a full scan.

*Edit* I ran a full scan in safe mode and it found 22 items again but the same thing happened, I deleted/quarantined them then the protection system was still there after the restart.

I am getting very sick of this dang thing and would appreciate any help or input you guys have for me.

Thanks in advance!


DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Compaq_Administrator at 0:11:38.03 on Fri 07/24/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1469 [GMT -5:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost
C:\Program Files\kikbutt\hart.com.exe
C:\WINDOWS\system32\wscsvc32.exe
svchost.exe C:\WINDOWS\TEMP\VRT5.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSvc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: trymedia.com
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-7-23 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-7-23 46864]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 119808]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-23 38160]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-23 34248]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-7-23 33552]

=============== Created Last 30 ================

2009-07-24 00:04 40 a------- c:\windows\system32\6.tmp
2009-07-23 23:54 40 a------- c:\windows\system32\5.tmp
2009-07-23 22:39 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-07-23 22:12 <DIR> --d----- c:\program files\kikbutt
2009-07-23 22:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 22:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 22:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 22:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-23 21:41 40 a------- c:\windows\system32\7E.tmp
2009-07-23 21:28 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-23 21:28 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-23 21:28 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-23 21:28 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-07-23 21:28 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-23 21:01 40 a------- c:\windows\system32\10.tmp
2009-07-23 20:58 <DIR> --dshr-- c:\windows\system32\dllcache
2009-07-23 20:50 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-07-23 20:50 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-07-23 20:50 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-07-23 20:50 <DIR> --d----- c:\program files\ThreatFire
2009-07-23 20:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-23 20:14 785,920 a------- c:\windows\system32\wscsvc32.exe
2009-07-23 20:14 257,536 a------- c:\windows\system32\resdll.dll
2009-07-23 20:14 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-07-23 20:05 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-23 19:57 24,960 a----r-- c:\windows\system32\drivers\ATWPKT2.SYS
2009-07-23 19:57 33,588 a----r-- c:\windows\system32\drivers\wanatw4.sys
2009-07-23 19:45 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-07-23 19:43 62,976 a------- c:\windows\system32\CTDetres.dll
2009-07-23 19:43 17,350 a------- c:\windows\system32\CTDetect.hlp
2009-07-23 19:43 641 a------- c:\windows\system32\CTDetect.cnt
2009-07-23 19:43 64,512 a------- c:\windows\system32\CTSVCCDA.EXE
2009-07-23 19:43 45,568 -------- c:\windows\system32\CTSVCCTL.EXE
2009-07-23 19:43 331,776 -------- c:\windows\system32\CTMEDENG.DLL
2009-07-23 19:43 139,264 a------- c:\windows\system32\Video.skn
2009-07-23 19:43 24,576 a------- c:\windows\system32\CTMERes.DLL
2009-07-23 19:42 176,128 a------- c:\windows\system32\USBAudio.cpl
2009-07-23 19:42 135,168 a------- c:\windows\system32\USBAudio.crl
2009-07-23 19:42 45,390 a------- c:\windows\system32\usbaudio.chm
2009-07-23 19:42 692 a------- c:\windows\system32\USBAudio.cpl.manifest
2009-07-23 19:40 15,840 a------- c:\windows\system32\drivers\Pfmodnt.sys
2009-07-23 19:39 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-07-23 19:37 <DIR> --dshr-- C:\cmdcons
2009-07-23 19:37 <DIR> --d----- c:\windows\setupupd
2009-07-23 19:35 1,775 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_RE477AA-ABA SR2039X NA680_YC_0Pres_QCNX639_E64NAemREA4_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M2047_J250_7AMD_8Athlon 64_92.2_#061125_N_Z_G10029598_OTSSTcorp CD DVDW TS-H652L_D.MRK
2009-07-23 19:32 <DIR> --d----- c:\documents and settings\compaq_administrator\WINDOWS
2009-07-23 19:32 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Intuit
2009-07-23 19:32 <DIR> --d----- c:\documents and settings\Compaq_Administrator
2009-07-23 19:29 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-23 17:23 8,212 a------- c:\windows\mfebcdata
2009-07-23 17:02 1,348 a------- c:\windows\ATICIM.INI
2009-07-23 14:31 62,464 -------- c:\windows\Ctregrun.exe
2009-07-23 14:30 110,592 -------- c:\windows\Updreg.EXE
2009-07-23 14:18 43,520 -------- c:\windows\kb913800.exe
2009-07-23 14:05 157,357 a------- c:\windows\hpoins27.dat
2009-07-23 14:05 932 -------- c:\windows\hpomdl27.dat
2009-07-23 02:55 <DIR> --d----- c:\docume~1\compaq~1\applic~1\ESET
2009-07-23 02:53 <DIR> --d----- c:\program files\ESET
2009-07-22 23:04 <DIR> --d----- c:\program files\QUAD Utilities
2009-07-02 12:49 4,125,696 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-07-02 12:49 4,125,696 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-07-02 12:25 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-07-02 12:24 335,872 a------- c:\windows\system32\dllcache\ati2dvag.dll
2009-07-02 12:24 335,872 a------- c:\windows\system32\ati2dvag.dll
2009-07-02 12:07 311,296 a------- c:\windows\system32\atiiiexx.dll
2009-07-02 12:06 204,800 a------- c:\windows\system32\atipdlxx.dll
2009-07-02 12:05 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-07-02 12:05 46,592 a------- c:\windows\system32\Ati2mdxx.exe
2009-07-02 12:05 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-07-02 12:05 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-07-02 12:04 622,592 a------- c:\windows\system32\ati2evxx.exe
2009-07-02 12:02 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-07-02 11:56 3,014,272 a------- c:\windows\system32\dllcache\ati3duag.dll
2009-07-02 11:56 3,014,272 a------- c:\windows\system32\ati3duag.dll
2009-07-02 11:54 11,698,176 a------- c:\windows\system32\atioglxx.dll
2009-07-02 11:44 2,139,904 a------- c:\windows\system32\dllcache\ativvaxx.dll
2009-07-02 11:44 2,139,904 a------- c:\windows\system32\ativvaxx.dll
2009-07-02 11:44 219,120 a------- c:\windows\system32\ativvaxx.cap
2009-07-02 11:44 887,724 a------- c:\windows\system32\ativva6x.dat
2009-07-02 11:44 3 a------- c:\windows\system32\ativva5x.dat
2009-07-02 11:31 49,664 a------- c:\windows\system32\atimpc32.dll
2009-07-02 11:31 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-07-02 11:28 487,424 a------- c:\windows\system32\atikvmag.dll
2009-07-02 11:27 45,056 a------- c:\windows\system32\aticalrt.dll
2009-07-02 11:26 45,056 a------- c:\windows\system32\aticalcl.dll
2009-07-02 11:26 151,552 a------- c:\windows\system32\atiadlxx.dll
2009-07-02 11:26 17,408 a------- c:\windows\system32\atitvo32.dll
2009-07-02 11:25 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-07-02 11:25 3,248,128 a------- c:\windows\system32\aticaldd.dll
2009-07-02 11:24 376,832 a------- c:\windows\system32\atiok3x2.dll
2009-07-02 11:20 651,264 a------- c:\windows\system32\dllcache\ati2cqag.dll
2009-07-02 11:20 651,264 a------- c:\windows\system32\ati2cqag.dll

==================== Find3M ====================

2009-06-21 12:31 236,597 a------- c:\windows\hpqins11.dat
2009-06-18 14:29 197,654 a------- c:\windows\system32\atiicdxx.dat
2009-05-11 16:35 139,264 a------- c:\windows\system32\atibtmon.exe
2009-04-14 15:00 34 a------- c:\documents and settings\compaq_administrator\jagex_runescape_preferences.dat
2007-11-25 20:23 4,346,084 a------- c:\documents and settings\compaq_administrator\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe

============= FINISH: 0:12:18.35 ===============

Attached Files


Edited by ohyesitstrue, 24 July 2009 - 01:22 AM.


BC AdBot (Login to Remove)

 


#2 ohyesitstrue

ohyesitstrue
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 25 July 2009 - 01:19 PM

Update* I ended up wiping my hard drive clean and re-installing Windows. That was a nasty virus and was really stressing me out having that thing on there. Sorry for taking things into my own hands after I requested help on here and thanks to anyone who viewed this thread.

Edited by ohyesitstrue, 25 July 2009 - 01:19 PM.


#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 29 July 2009 - 05:28 PM

Don't worry about it ohyesitstrue, Thanks for letting us know. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users