Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help removing Protection System


  • This topic is locked This topic is locked
9 replies to this topic

#1 tsoaf

tsoaf

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 15 September 2009 - 10:52 PM

Hello! I have visited the site before and have browsed through the topics and easily removed virus. This time I have this pesky Protection System virus that keeps on appearing after I have scanned using Malware. I also keep getting Security Center Alerts telling me about trojans such as Rootkit.Win32.Agent.pp and it gives me an option to enable protection but have decided not to mess with anything like that. I hope someone can help me please. THANK YOU!


I will paste my MalWare log.


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

9/15/2009 7:21:32 PM
mbam-log-2009-09-15 (19-21-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200701
Time elapsed: 1 hour(s), 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\coreext.dll (Rogue.ProtectionSystem) -> Delete on reboot.
c:\program files\protection system\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\program files\protection system\uninstall.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\protection system\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SKYNETlog.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:54 AM

Posted 17 September 2009 - 05:48 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 tsoaf

tsoaf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 September 2009 - 12:56 PM

Hi Sam. thank you for the response.
After 2 tries of trying to download Combofix from the first link because my computer would freeze, i used link 2 and downloaded it. I will post the results from that in a bit.

#4 tsoaf

tsoaf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 September 2009 - 01:08 PM

i have tried running ComboFix from my desktop but it has not loaded up the program. it just asks if i want to run the program and I click run and nothing happens. In my task manager it does show it is running but for the last 5 minutes nothing else has loaded up.

#5 tsoaf

tsoaf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 18 September 2009 - 04:52 PM

Sorry i had to rename the program in order for it to run. but its done and log is attatched.

ComboFix 09-09-18.01 - Pepe 09/18/2009 13:05.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.152 [GMT -7:00]
Running from: c:\documents and settings\Pepe\Desktop\ComboFi.exe
AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Verizon Internet Security Suite Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Protection System
c:\windows\system32\drivers\SKYNETpnbowkeg.sys
c:\windows\system32\drivers\UACsrskducbey.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Process.exe
c:\windows\system32\SKYNETbabutfmu.dat
c:\windows\system32\SKYNETfjpyfqyw.dll
c:\windows\system32\SKYNETknmqsyek.dll
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETqjwdsixa.dll
c:\windows\system32\SKYNETulkyxwww.dat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClthwvrigfl.dll
c:\windows\system32\UACmplidababo.dll
c:\windows\system32\UACmtbqqhxlvm.dat
c:\windows\system32\UACqvppxeuwno.dll
c:\windows\system32\UACxjxjotfqrs.log
c:\windows\system32\UACyxkrjlawvi.dll
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wingenocx.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\ygsuhdf83id.dll
c:\windows\Temp\1503070884.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETubrdyprr
-------\Legacy_SKYNETubrdyprr
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 02:09 . 2009-09-18 02:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-17 05:41 . 2009-09-17 05:41 -------- d-----w- C:\db59e0524fe0aecacffb0ca4
2009-09-14 19:42 . 2009-09-14 19:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-14 19:42 . 2009-09-14 19:42 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-09-14 01:09 . 2009-09-14 01:09 -------- d-----w- c:\program files\Common Files\Real
2009-09-14 01:05 . 2009-09-14 01:09 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-09-14 00:57 . 2009-09-14 00:57 -------- d-----w- c:\program files\LG Electronics
2009-09-14 00:57 . 2007-04-09 16:56 21248 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-09-14 00:57 . 2007-04-09 16:55 22912 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-09-14 00:57 . 2007-04-09 16:53 12672 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-09-10 06:52 . 2009-09-10 06:52 -------- d-----w- c:\program files\NortonInstaller
2009-09-10 06:52 . 2009-09-10 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-04 20:17 . 2009-09-04 20:17 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 20:16 . 2009-09-04 20:16 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2009-09-02 07:29 . 2009-09-02 07:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 07:29 . 2009-09-02 07:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 07:29 . 2009-09-02 07:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 07:29 . 2009-09-02 07:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2009-09-02 07:29 . 2009-09-02 07:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 07:29 . 2009-09-02 07:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2009-09-02 07:28 . 2009-09-02 07:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 20:29 . 2008-12-16 06:57 26208032 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-18 20:29 . 2007-12-19 23:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 20:28 . 2008-12-16 06:57 813600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-18 20:24 . 2008-12-16 06:57 77300 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-18 20:24 . 2008-12-16 06:57 351980 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-17 05:41 . 2009-09-17 05:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-17 00:14 . 2008-08-26 04:32 -------- d-----w- c:\program files\Zune
2009-09-17 00:07 . 2009-09-17 00:07 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-17 00:07 . 2009-09-17 00:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-15 02:20 . 2008-03-12 04:30 -------- d-----w- c:\program files\Norton Security Scan
2009-09-15 02:14 . 2007-12-08 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-14 21:25 . 2009-07-31 21:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 01:09 . 2009-09-14 01:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-09-10 23:04 . 2008-07-15 05:25 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 06:52 . 2007-12-08 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-10 03:47 . 2008-01-15 06:11 -------- d-----w- c:\program files\Lx_cats
2009-08-27 22:04 . 2009-03-31 20:41 -------- d-----w- c:\documents and settings\Pepe\Application Data\uTorrent
2009-08-17 19:37 . 2009-08-17 19:37 1837296 ----a-w- c:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 19:37 . 2009-08-17 19:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2009-08-14 13:58 . 2009-09-16 03:22 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 03:16 . 2008-09-20 02:43 -------- d-----w- c:\program files\NCH Software
2009-08-04 01:49 . 2009-08-04 01:48 -------- d-----w- c:\program files\Windows Defender
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 17:35 . 2006-11-02 15:22 444136 ------w- c:\windows\system32\drivers\wdf01000.sys
2009-07-14 17:35 . 2006-11-02 15:22 37608 ------w- c:\windows\system32\drivers\wdfldr.sys
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:16 . 2006-09-29 04:13 39936 ------w- c:\windows\system32\WUDFCoinstaller.dll
2009-07-14 01:16 . 2006-09-29 02:56 567808 ------w- c:\windows\system32\WUDFx.dll
2009-07-14 01:16 . 2006-09-29 02:56 64512 ------w- c:\windows\system32\WudfSvc.dll
2009-07-14 01:14 . 2006-09-29 02:56 195584 ------w- c:\windows\system32\WudfHost.exe
2009-07-13 23:50 . 2006-09-29 03:00 132224 ------w- c:\windows\system32\drivers\WudfRd.sys
2009-07-13 23:50 . 2006-09-29 02:56 148480 ------w- c:\windows\system32\WudfPlatform.dll
2009-07-13 23:50 . 2006-09-29 02:55 91904 ------w- c:\windows\system32\drivers\WudfPf.sys
2009-07-13 20:36 . 2009-07-31 21:34 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-07-31 21:34 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-22 129536]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 136600]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-10-21 2303216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 106496]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-16 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Pepe^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Pepe\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Documents and Settings\\Pepe\\Desktop\\Unused Desktop Shortcuts\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Zune\\Zune.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/20/2009 10:15 PM 55152]
R2 fsssvc;Windows Live Protección Infantil;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [12/7/2007 8:44 PM 88192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/31/2009 2:34 PM 38160]
S3 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAwareR.exe [10/24/2008 7:49 PM 96496]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 5:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-09-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-09-12 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-09-10 03:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mx.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Pepe\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: zune.net
FF - ProfilePath - c:\documents and settings\Pepe\Application Data\Mozilla\Firefox\Profiles\4p30w1dq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://mx.search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://mx.search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Amazon MP3 Downloader - c:\program files\Amazon\MP3 Downloader\Uninstall.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 13:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,11,aa,31,0b,35,ac,44,bf,e7,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,11,aa,31,0b,35,ac,44,bf,e7,5c,\

[HKEY_USERS\S-1-5-21-682003330-606747145-2146964071-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a3,46,1a,78,a9,dc,ea,81,e1,c6,dd,5e,44,2a,56,32,ae,6a,a5,a9,35,1a,1a,
1c,e1,35,1f,f1,95,ff,8a,60,b4,16,3b,11,b7,61,6a,55,a1,80,47,ad,eb,24,6b,48,\
"??"=hex:34,16,5f,25,9b,d1,98,7d,d3,ae,b9,32,a9,8f,2c,dc
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4532)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Verizon\Verizon Internet Security Suite\Fws.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Verizon\Verizon Internet Security Suite\RPS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\lxcecoms.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-09-18 13:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 20:36

Pre-Run: 865,071,104 bytes free
Post-Run: 2,175,074,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

337 --- E O F --- 2009-09-18 02:11

Attached Files


Edited by Buckeye_Sam, 19 September 2009 - 04:19 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:54 AM

Posted 19 September 2009 - 04:24 PM

Please copy and paste logs directly into your post instead of attaching them.


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 tsoaf

tsoaf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 20 September 2009 - 06:46 PM

oh. my computer has been a bit slot but i think it has to do with me not having enough memory haha. here is my log.

Malwarebytes' Anti-Malware 1.41
Database version: 2832
Windows 5.1.2600 Service Pack 3

9/20/2009 4:34:47 PM
mbam-log-2009-09-20 (16-34-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 193443
Time elapsed: 1 hour(s), 17 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETfjpyfqyw.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETqjwdsixa.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClthwvrigfl.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmplidababo.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wingenocx.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACsrskducbey.sys.vir (Trojan.TDSS.T) -> Quarantined and deleted successfully.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:54 AM

Posted 21 September 2009 - 04:11 PM

Looks pretty good. That scan only turned up items that we've already quarantined with combofix.

In order to speed things up a bit for you, especially if you're light on memory, use msconfig to control your startup items. These are some that I see running automatically at startup that aren't necessary.

"YSearchProtection"
"msnmsgr"
"RegistryMechanic"
"YBrowser"
"Adobe Reader Speed Launcher"
"SunJavaUpdateSched"
"QuickTime Task"
"Windows Defender"
"Zune Launcher"
Microsoft Office.lnk



You can also take a look at this page for some other suggestions.

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html




We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 tsoaf

tsoaf
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 21 September 2009 - 08:41 PM

i see. well thank you very much for all the help! i appreciate it. :(

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:54 AM

Posted 22 September 2009 - 02:40 PM

I'm glad I could help you out! :(

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users