Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


JS/Fakealert.btq, HTML/Infected.webpage.gen, TR/crypt.xpack.gen2, TR/crypt.ulpm.gen - Internet Security 2010, PC Protector - Rogue Anti-malware

  • This topic is locked This topic is locked
8 replies to this topic

#1 skeeter1


  • Members
  • 5 posts
  • Local time:12:39 PM

Posted 01 February 2010 - 06:38 PM

My computer went haywire last night - apparently from visiting some website where warnings & alerts about viruses began popping up. I must have inadvertently clicked on the wrong *something* since it appears viruses have gotten through in droves.

Thought we had Antivirus protection, but upon inspection it appears that "Trend Micro" was installed, but seems to have been deactivated... Not sure how this occurred, but it probably means we've been without antivirus protection for awhile.

Decided to switch to Avira based on ratings, so went to uninstall Trend Micro, BUT it req's a password we don't have access to. Long story... So given that it launches but does not appear to be scanning, we left it alone.

I Installed Avira last night - which seems to have detected *some* of the viruses but has been useless in removing or repairing them. Here's what it found:

  • JS/Fakealert.btq
  • HTML/infected.webpage.gen (spawned in various locations)
  • TR/crypt.xpack.gen2 - trojan
  • TR/crypt.ulpm.gen
  • - Fake alerts warning of infection, unauthorized download & install of Internet Security 2010 - rogue antimalware
  • - Unauthorized download and install of Your PC Protector - rogue antimalware
  • - Google searches hijacked when trying to search for help with viruses
  • - Background is hijacked and turned into one of two things:
  • - green background with big virus warning text box
  • - a fake 'windows' notification that my active desktop needs to be recovered and an invitation to click a box to restore it
  • - Spawns spoof windows text balloons in the taskbar warning me about virus detection and inviting me to click to download content
  • - Spawns many fake windows warnings - some of which won't allow closing, and must be moved aside to continue working. See list below.
  • - Kills Ad Aware scan & reboots computer with no warning
  • - Kills Malwarebyte scan & reboots computer with no warning
  • - Task Manager button is **greyed out**when I ctr-alt-del to attempt to shut down the Rogue program
  • - Warning application cannot be executed. The file is infected. Please activate your antivirus software.
  • - Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)
  • - System warning! Continue in unprotected mode is vary dangerous. Viruses can damage your confidential data and work on your computer. Click here to...
  • - Click here to protect your computer... (closes too fast to get all the text)
    - Uninstall Trend Micro & install Avira - but could not uninstall Trend Micro due to lack of password
    - Scanned with Avira - and viruses were detected - but the actions did not clear up the virus
    - Followed steps on Bleepingcomputer.com to prepare for help, including activating firewall, etc.
    - Begain following the steps on Bleepingcomputer.com to uninstall IS 2010 but in the middle of the Malwarebytes scan the computer rebooted. Prior to reboot the scan had identified at least 43 instances of infection (ugh)
    - Tried to install and scan with Ad Aware - but scan was killed & computer rebooted
THANK YOU in advance for your help!!!!!!!
DDS Results:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 14:11:56.53 on Mon 02/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.378 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1169657648\ee\AOLSoftware.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Documents and Settings\Administrator.ASSISTANTLAPTOP\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\PolderbitS\Recorder\Driver\PBDriverMonitor_uk.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Administrator.ASSISTANTLAPTOP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/MemberHome
mWinlogon: Userinit=c:\windows\system32\winlogon32.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: ADC PlugIn: {77dc0baa-3235-4ba9-8be8-aa9eb678fa02} - c:\program files\adc32.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
TB: pdfMachine: {56cf4856-ecb4-4e46-a897-a378821f97b9} - c:\windows\system32\bgstb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator.assistantlaptop\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [smss32.exe] c:\windows\system32\smss32.exe
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Pdfquickview] c:\program files\pfu\scansnap\pdf thumbnail view\pdfquickview.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HostManager] c:\program files\common files\aol\1169657648\ee\AOLSoftware.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [bgsmsnd.exe] c:\windows\system32\spool\drivers\w32x86\3\bgsmsnd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [net] "c:\windows\system32\net.net"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\polder~1.lnk - c:\program files\polderbits\recorder\driver\PBDriverMonitor_uk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\windows\system32\helper32.dll
LSP: c:\windows\system32\betsp.dll
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://exchange.nobullmortgage.com:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://exchange.nobullmortgage.com:4343/officescan/console/ClientInstall/setupini.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://exchange.nobullmortgage.com:4343/officescan/console/ClientInstall/setup.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.taylorbeanonline.com/scriptx/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://exchange.nobullmortgage.com:4343/officescan/console/html/AtxEnc.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} - hxxps://vpn.whitepages.com/postauthI/epi.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://exchange.nobullmortgage.com:4343/officescan/console/ClientInstall/RemoveCtrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240075181859
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185403106187
DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F127} - hxxp://www.swiftview.com/product/public/svinstall_green.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {944713E8-1F29-42D9-ABD5-557728B9AC97} - hxxps://ilnet.wellsfargo.com/ilonline/hmUpload/ptclickloanwf.cab
DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} - hxxps://www.clickloan.com/CAB/PtClickLoan/1,0,0,12/PtClickLoan.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Hosts: HP0018715EA255
Hosts: Xdrive

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.ass\applic~1\mozilla\firefox\profiles\1gpps4kv.default\
FF - plugin: c:\documents and settings\administrator.assistantlaptop\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-30 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-29 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2007-10-29 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-10-29 35856]
R3 PbsAuDrv;PolderbitS Audio Driver;c:\windows\system32\drivers\pbsaudrv.sys [2009-6-14 110624]
S2 AdbUpd;Adobe Update Service;c:\program files\svchost.exe [2010-2-1 37376]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-1 38224]

=============== Created Last 30 ================

2010-02-01 21:17:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 21:17:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 21:17:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 20:58:06 0 d-----w- c:\program files\schtml
2010-02-01 20:53:45 958464 ----a-w- c:\program files\adc32.dll
2010-02-01 20:53:45 43520 ----a-w- c:\program files\alggui.exe
2010-02-01 20:53:43 36 ----a-w- c:\program files\skynet.dat
2010-02-01 20:53:37 4 ----a-w- c:\program files\wp3.dat
2010-02-01 20:53:36 56 ----a-w- c:\program files\wp4.dat
2010-02-01 20:53:36 37376 ----a-w- c:\program files\svchost.exe
2010-02-01 20:53:27 0 d-----w- c:\program files\Your PC Protector
2010-02-01 19:08:21 0 d-----w- c:\docume~1\admini~1.ass\applic~1\Malwarebytes
2010-02-01 19:08:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-01 18:31:15 0 d-----w- c:\program files\InternetSecurity2010
2010-02-01 17:25:18 0 d-sh--w- c:\documents and settings\administrator.assistantlaptop\IECompatCache
2010-01-31 01:40:20 0 ----a-w- c:\windows\system32\14771.exe
2010-01-31 01:20:16 0 ----a-w- c:\windows\system32\21726.exe
2010-01-31 01:00:09 0 ----a-w- c:\windows\system32\5447.exe
2010-01-31 00:40:05 0 ----a-w- c:\windows\system32\19895.exe
2010-01-31 00:20:01 0 ----a-w- c:\windows\system32\19718.exe
2010-01-30 23:59:58 0 ----a-w- c:\windows\system32\18716.exe
2010-01-30 23:39:54 0 ----a-w- c:\windows\system32\17421.exe
2010-01-30 23:19:51 0 ----a-w- c:\windows\system32\12382.exe
2010-01-30 22:59:44 0 ----a-w- c:\windows\system32\292.exe
2010-01-30 22:39:41 0 ----a-w- c:\windows\system32\153.exe
2010-01-30 22:19:38 0 ----a-w- c:\windows\system32\3902.exe
2010-01-30 21:59:36 0 ----a-w- c:\windows\system32\14604.exe
2010-01-30 21:39:32 0 ----a-w- c:\windows\system32\32391.exe
2010-01-30 21:19:29 0 ----a-w- c:\windows\system32\5436.exe
2010-01-30 20:59:25 0 ----a-w- c:\windows\system32\4827.exe
2010-01-30 20:39:23 0 ----a-w- c:\windows\system32\11942.exe
2010-01-30 20:19:20 0 ----a-w- c:\windows\system32\2995.exe
2010-01-30 19:59:17 0 ----a-w- c:\windows\system32\491.exe
2010-01-30 19:39:13 0 ----a-w- c:\windows\system32\9961.exe
2010-01-30 19:19:10 0 ----a-w- c:\windows\system32\16827.exe
2010-01-30 18:59:07 0 ----a-w- c:\windows\system32\23281.exe
2010-01-30 18:39:04 0 ----a-w- c:\windows\system32\28145.exe
2010-01-30 18:33:10 0 d-----w- c:\program files\Avira
2010-01-30 18:33:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-01-30 18:18:53 0 ----a-w- c:\windows\system32\5705.exe
2010-01-30 11:35:36 0 ----a-w- c:\windows\system32\24464.exe
2010-01-30 10:44:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-30 08:30:26 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-30 08:24:50 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-30 07:44:38 0 ----a-w- c:\windows\system32\26962.exe
2010-01-30 07:24:31 0 ----a-w- c:\windows\system32\29358.exe
2010-01-30 07:04:27 0 ----a-w- c:\windows\system32\11478.exe
2010-01-30 06:44:24 0 ----a-w- c:\windows\system32\15724.exe
2010-01-30 06:24:21 0 ----a-w- c:\windows\system32\19169.exe
2010-01-30 06:04:19 0 ----a-w- c:\windows\system32\26500.exe
2010-01-30 05:44:16 0 ----a-w- c:\windows\system32\6334.exe
2010-01-30 05:24:12 0 ----a-w- c:\windows\system32\18467.exe
2010-01-30 05:10:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-30 04:56:23 0 ----a-w- c:\windows\system32\41.exe
2010-01-30 04:56:19 29184 ----a-w- c:\windows\system32\helper32.dll
2010-01-30 04:56:07 39424 ----a-w- c:\windows\system32\winlogon32.exe
2010-01-30 04:56:07 39424 ----a-w- c:\windows\system32\smss32.exe
2010-01-30 04:10:54 42496 ----a-w- C:\kkalf.exe
2010-01-30 04:10:54 16384 ----a-w- C:\duehpow.exe
2010-01-18 02:08:10 3283 ----a-w- c:\windows\system32\wbem\Outlook_01ca97e3151165b4.mof
2010-01-14 00:06:37 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-01 20:53:42 9 ----a-w- c:\program files\nuar.old
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2006-04-06 16:36:29 56 --sha-r- c:\windows\system32\4CE3DBECF2.sys
2008-02-02 01:43:22 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:13:49.35 ===============

Attached Files

Edited by Orange Blossom, 01 February 2010 - 07:49 PM.
Board glitch. ~ OB

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 03 February 2010 - 10:47 PM

Hello skeeter1 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.

I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I need for you to perform another scan for me.

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER does not want to run add the following to those that you unchecked and try it again:

  • Registry
  • Files

Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 skeeter1

  • Topic Starter

  • Members
  • 5 posts
  • Local time:12:39 PM

Posted 04 February 2010 - 12:29 PM

Hi Wall -
Thanks for your help!
This morning when I tried to get onto the internet with the infected laptop, I was not able to successfully reach any webpage. Avira kept interrupting with repeated, continuous warnings of unwanted programs. The files it's flagging are as follows:

- Windows\system32\smss32.exe is the TR/Dldr.fakeav.nlc trojan
- Program Files\InternetSecurity2010\IS2010.exe
- There are multiple others but too many to list...

At this point, most browser functions are disabled. It is pretty much just saying it cannot display a webpage, and any attempt to navigate to a site is met with Avira popups and subsequent non-responsiveness from the browser.

I imagine my next option would be to put that GMER .exe file on a memory stick and run it that way...but I am hesitant to do so in case you advise me otherwise. Will my memory stick be infected after I use it in this machine? Is there another way you recommend approaching this?

Let me know what I should do. Thanks!!!!

#4 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 04 February 2010 - 12:51 PM

Yes, your memory stick can get infected when put into an infected machine. If you insert it into a clean machine you have to hold the shift key down before doing so...this disables the autorun feature which is used to exploit the clean machine. If you do this you will probably want to reformat it unless you have a bunch of stored stuff you don't want to lose.

However the idea of trying to run GMER from a flash drive is a good one. If you can successfully do so pay attention to what the log shows. Some people are having problems with saving the log due to some new infections. Look to see if there are any lines with Max++ in them or toward the end of the log if it says anything about atapi.sys looking like there may be a suspicious modification.

If you need anymore info just let me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 skeeter1

  • Topic Starter

  • Members
  • 5 posts
  • Local time:12:39 PM

Posted 04 February 2010 - 09:10 PM

One more quick question before I do this step...
My husband can get a copy of Windows 7 from a MSFT friend, and he was wondering whether we could eliminate the viruses by installing the new OS? He said he thought there was a way to opt to wipe the disk while you were installing... and we have fairly recent backups of the data from this machine so we wouldn't risk losing much in that regard. We mainly use this laptop for web & email. Your advice would be extremely valuable since I don't know if we'd just be messing up a *new* OS with the old viruses... and while he seems optimistic about it, he doesn't really know either... ;)
Thanks soooooo much!!!

#6 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 04 February 2010 - 10:11 PM

This may be your easiest route if you want to go that way. It will involve reformatting and then installing the new OS. After that you can reinstall what you saved. The only question I would have and I don't really know the answer is if there would be any issue with installing the backups made from an XP onto Windows 7. You can ask over in either our XP or Windows 7 forum and they should be able to help you. Just let me know which way you want to go.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 skeeter1

  • Topic Starter

  • Members
  • 5 posts
  • Local time:12:39 PM

Posted 05 February 2010 - 06:12 PM

I think we'll go ahead with this option - reformatting & installing a new OS. Technically we don't really need to reinstall the old content since it's available on another machine on our home network. It doesn't need to be local.

I haven't seen any problems on our other machines but I have wondered if these viruses try to attack thru the network... I haven't taken the infected machine off since I figured any damage it would try to do would have already been done. And it connects to the internet thru the network so I've kind of needed it... but let me know if you think any additional quarantine action is wise while we work on getting the new OS installed...

Thanks so much for your advice. What a cool resource this site is. I've certainly been in a position where reinstalling an OS would not have been an option - and this site and your help would be invaluable in that case. Even now having you confirm that the new OS is a good way to go is very reassuring.

Keep up the great work and thanks for your time.

#8 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 05 February 2010 - 07:12 PM

You are very welcome and I believe to be on the safe side I would run something like MalwareBytes on the other computers. If it is clean and you are not experiencing any other issues you should be alright. I'll post some instructions for doing so and if you want to post them back if they show signs of infection I'll be glad to take a look.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:39 PM

Posted 09 February 2010 - 08:34 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users