Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 zmorri

zmorri

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:31 PM

Posted 07 October 2009 - 12:10 PM

My computer has recently been infected with the Security Tool Malware. I tried running both Malwarebytes, and various other products but the virus prevented them from running. I had to resort to safe mode to even be able to run Root Repeal and hijack this. I have been infected by Malware in the past but was able to remove it manually with Malwarebytes.


DDS (Ver_09-09-29.01) - NTFSx86 NETWORK
Run by Administrator at 12:53:52.34 on Wed 10/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.755 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program

files\norton antivirus\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: {d12994aa-d6f8-4e23-b2d9-fe6e2be3a7a7} - c:\windows\system32\pmnnLDTL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter

edition\3.0\apps\apdproxy.exe"
mRun: [GoToMyPC] c:\program files\citrix\gotomypc\g2svc.exe -logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe

startup
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe"

/startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe"

/runcleanupscript
mRun: [68314931] c:\documents and settings\all users\application data\68314931\68314931.exe
mRun: [yovunuzor] Rundll32.exe "c:\windows\system32\lujagaje.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe

/install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program

files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program

files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program

files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program

files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -

hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=12385

90062_2055b73b2b97598b0a40ae4be71fe359&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6

u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program

files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll sekunara.dll

c:\windows\system32\lujagaje.dll,sukudita.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SSODL: dejovazok - {3d8be842-8775-4cd5-a194-49c500fa1295} - c:\windows\system32\fokekoga.dll
SSODL: muzemabaf - {9ae97a10-4af3-4ec6-8028-b53b5fa296f9} - c:\windows\system32\lujagaje.dll
STS: mujuzedij: {3d8be842-8775-4cd5-a194-49c500fa1295} - c:\windows\system32\fokekoga.dll
STS: kupuhivus: {9ae97a10-4af3-4ec6-8028-b53b5fa296f9} - c:\windows\system32\lujagaje.dll
LSA: Notification Packages = scecli zijotijo.dll nuwadala.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File

Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-23 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys

[2009-3-23 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-23

482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090109.001\IDSxpx

86.sys [2009-1-12 274808]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton

antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-23 115560]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2009-7-29 24652]
S3 EPUSBSTOR;EPSON USB Storage Driver;c:\windows\system32\drivers\epusbsto.sys [2006-9-29 17976]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090326.065\NAVE

NG.SYS [2009-3-27 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090326.065\NAVE

X15.SYS [2009-3-27 876144]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 -->

c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

=============== Created Last 30 ================

2009-10-07 12:53 361,369 a------- C:\dds.scr
2009-10-07 12:49 <DIR> --d----- c:\program files\Trend Micro
2009-10-07 12:39 47,616 a------- C:\Win32kDiag.exe
2009-10-07 12:35 812,344 a------- C:\75389.exe
2009-10-07 11:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\68314931
2009-09-18 09:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-18 09:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 09:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-09-19 21:50 39,424 a--sh--- c:\windows\system32\mitilubo.dll
2009-09-19 09:12 39,424 a--sh--- c:\windows\system32\nofinano.dll
2009-09-18 21:12 52,736 a--sh--- c:\windows\system32\yufatisi.dll
2009-09-18 21:11 39,424 a--sh--- c:\windows\system32\babebavi.dll
2009-09-18 09:11 39,424 a--sh--- c:\windows\system32\mepuvufa.dll
2007-06-08 09:30 722,176 a------- c:\documents and

settings\administrator\gotomypc_428.exe
2006-09-29 10:29 563,712 a------- c:\documents and

settings\administrator\gotomypc_370.exe
2006-09-01 12:37 3,167,744 a------- c:\documents and

settings\administrator\gosetup.exe
2009-07-07 11:06 52,224 a--sh--- c:\windows\system32\kujipayo.dll
2009-07-07 11:06 37,888 a--sh--- c:\windows\system32\lajihuga.dll
2009-01-09 13:53 3,825 a--sh--- c:\windows\system32\LTDLnnmp.ini2
2009-07-07 11:06 89,088 a--sh--- c:\windows\system32\lujagaje.dll
2009-07-07 11:06 52,224 a--sh--- c:\windows\system32\nuwadala.dll
2009-07-07 11:06 26,624 a--sh--- c:\windows\system32\pibuboho.dll
2009-07-07 11:06 52,224 a--sh--- c:\windows\system32\rozisibu.dll
2009-07-07 11:06 52,224 a--sh--- c:\windows\system32\sukudita.dll
2009-07-07 11:06 1,050,659 a--sh--- c:\windows\system32\yukosiji.exe

============= FINISH: 12:54:14.06 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:31 AM

Posted 10 October 2009 - 06:40 PM

Hello zmorri,

I tried running both Malwarebytes, and various other products but the virus prevented them from running.



If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program Files\Malwarebytes Antimalware\) then rename mbam.exe to newtool3.exe, double click newtool3.exe to proceed in running a Full scan.

If it runs, then post the Malwarebytes log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:31 AM

Posted 15 October 2009 - 09:09 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users