Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Protection Suite pop up infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 mrsthumper

mrsthumper

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 27 August 2009 - 08:11 AM

A coworker brought his dell laptop in to me, he is having problems with constant pop ups about infection and remote connections offering to block it with Windows Protection Suite. I have attempted to run Malwarebytes Anti-Malware on this machine it found numerous problems and attempted to remove them, but they are still present after reboot and the pop ups and "system alerts" continue.

I've talked to him about the dangers of randomly downloading junk that's supposed to do all kinds of cool illicit stuff. Hopefully, he gets its, but I'd just like to get his computer running for him again.

here is the log info:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Troy at 8:42:22.50 on Thu 08/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.482 [GMT -4:00]

AV: Windows Protection Suite *On-access scanning enabled* (Updated) {7F8373D7-C043-47AC-89B1-61EB797425C0}
FW: Windows Protection Suite *enabled* {ECF7A635-CB75-413E-BD32-58106F1E28DD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Documents and Settings\All Users\Application Data\04c6b1b\WI04c6.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Troy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Merriam-Webster Online: {b7b76dd6-b6f0-4443-af81-6a3ecf12a57d} - c:\windows\_MWOLTB.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Windows Protection Suite] "c:\documents and settings\all users\application data\04c6b1b\WI04c6.exe" /s /d
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [RemoteControl] c:\windows\system32\rmctrl.exe
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AirCardEnabler] "c:\program files\sierra wireless inc\network adapter manager\Network Adapter Manager.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: &Search
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125350981890
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - hxxp://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\troy\applic~1\mozilla\firefox\profiles\4xddnpyb.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2005-5-25 3026]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-5-3 80384]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2005-12-19 20480]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2006-4-24 17792]
S2 gupdate1c9e63822da5ba4;Google Update Service (gupdate1c9e63822da5ba4);c:\program files\google\update\GoogleUpdate.exe [2009-6-5 133104]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [2006-2-14 97280]
S3 VICAMUSB;3Com HomeConnect USB Camera;c:\windows\system32\drivers\vicamusb.sys --> c:\windows\system32\drivers\vicamusb.sys [?]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2002-8-16 88080]
S4 Mouhciipa;Mouhciipa; [x]

=============== Created Last 30 ================

2009-08-26 11:01 <DIR> --d----- c:\docume~1\troy\applic~1\Malwarebytes
2009-08-26 11:00 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-26 11:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-26 11:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 11:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-25 21:48 <DIR> --d----- c:\program files\AVG
2009-08-24 00:26 <DIR> --d----- c:\docume~1\troy\applic~1\AVG8
2009-08-23 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-23 12:37 <DIR> --dsh--- c:\docume~1\troy\applic~1\Windows Protection Suite
2009-08-23 12:37 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\WINSPSys
2009-08-23 12:37 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\04c6b1b
2009-08-12 16:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 16:41 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-07 17:34 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-06 22:43 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-06 22:42 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 22:42 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 22:42 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 22:42 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 22:42 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-06 22:42 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-06 22:42 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-06 22:42 <DIR> --d----- C:\fd91f526d1e5e21f3e7daf940d67
2009-08-05 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-05 18:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 15:57 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 15:57 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-07 18:52 87,263 ac------ c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-02 10:57 23,348 a------- c:\windows\system32\emptyregdb.dat
2005-05-02 13:46 8 a--shr-- c:\windows\system32\366EF5CE5E.sys
2006-09-12 19:51 11,426 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 8:42:45.09 ===============

Thank you

Attached Files



BC AdBot (Login to Remove)

 


#2 mrsthumper

mrsthumper
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 PM

Posted 31 August 2009 - 08:14 AM

Please close.

5th time is a charm, after running the malwarebytes program one final time it was able to remove the problems. :thumbup2:

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:04 PM

Posted 04 September 2009 - 12:41 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users