Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with defense center


  • This topic is locked This topic is locked
6 replies to this topic

#1 jsman

jsman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 11 July 2010 - 02:26 PM

Defense center shuts down computer just before GMER scan finishes scanning window files. I had to stop the scan in windows and copy at that point. I also have no program bar on bottom of desktop.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:48:43.31 on Sun 07/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.608 [GMT -4:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

e:\windows\system32\svchost -k dcomlaunch
svchost.exe
e:\windows\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\RegCure\RegCure.exe
E:\DOCUME~1\Owner\LOCALS~1\Temp\AUTMGR32.EXE
E:\WINDOWS\system32\BacsTray.exe
svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
e:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
E:\DOCUME~1\Owner\LOCALS~1\Temp\wscsvc32.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Messenger\MSMSGS.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
e:\windows\system32\svchost.exe -k imgsvc
E:\WINDOWS\System32\ups.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\System32\igfxtray.exe
E:\DOCUME~1\Owner\LOCALS~1\Temp\AUTMGR32.EXE
E:\Program Files\Common Files\Java\Java Update\jucheck.exe
E:\DOCUME~1\Owner\LOCALS~1\Temp\AUTMGR32.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\DOCUME~1\Owner\LOCALS~1\Temp\AUTMGR32.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0AZKFRDR\dds[1].scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "e:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [Defense Center] "e:\program files\defense center\defcnt.exe" -noscan
mRun: [IgfxTray] e:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] e:\windows\system32\hkcmd.exe
mRun: [bacstray] BacsTray.exe
mRun: [Intuit SyncManager] e:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - e:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - e:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - e:\windows\system32\mscoree.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\owner\applic~1\mozilla\firefox\profiles\qygki21d.default\
FF - prefs.js: browser.startup.homepage - hxxp://netscape.aol.com/?error=16&siteId=vnscpenusmail&authLev=2&siteState=OrigUrl%253Dhttp%25253a%25252f%25252fncmail.netscape.com%25252f_cqr%25252fvllogin.adp%2526RefUrl%253Dhttp%25253a%25252f%25252fwp.netscape.com%25252fnetcenter%25252fmail%25252findex.html&lang=en&locale=us&uitype=std
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
e:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-07-11 13:47:57 0 ----a-w- e:\documents and settings\owner\defogger_reenable
2010-07-10 16:41:28 0 d-----w- e:\program files\Defense Center
2010-07-10 15:53:21 664 ----a-w- e:\windows\system32\d3d9caps.dat
2010-07-09 23:40:55 0 d-----w- e:\docume~1\owner\applic~1\Malwarebytes
2010-07-09 21:24:51 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 21:24:50 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-07-09 21:24:50 0 d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-07-09 21:24:50 0 d-----w- e:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-01 15:28:43 0 d-----w- E:\Netgear

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- e:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- e:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- e:\windows\system32\atmfd.dll
2010-02-25 16:29:35 245760 --sha-w- e:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-02-25 16:29:35 32768 --sha-w- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010021520100222\index.dat
2010-02-25 16:29:35 32768 --sha-w- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010022520100226\index.dat

============= FINISH: 9:49:10.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:24 AM

Posted 11 July 2010 - 05:00 PM

Good evening. smile.gif

Your logs show no security programs installed, either anti-virus or third-party firewall. Can you tell me how long this has been the case.

So long, and thanks for all the fish.

 

 


#3 jsman

jsman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 13 July 2010 - 10:22 AM

I have never had security software or third party firewalls. But I will now!

Also I finally got GMER scan to run to completion and will attach to this reply.

Attached Files

  • Attached File  ark.txt   14.62KB   1 downloads


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:24 AM

Posted 13 July 2010 - 01:46 PM

Good evening. smile.gif

Given the amount of time that this has been the case, the best suggestion I can offer is to back up any important files and then reformat and reinstall Windows.
It is going to be impossible to guarantee a clean computer at the end of the removal process, which makes it something of a non-starter in the first place. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!
Should you want them, I can provide links to free software that will help keep your PC malware-free in the future, but you shouldn't count on them to clean your machine as it is now.

So long, and thanks for all the fish.

 

 


#5 jsman

jsman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 July 2010 - 09:59 AM

Yes links to software would be appreciated.

Thanks

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:24 AM

Posted 14 July 2010 - 01:50 PM

Good evening. smile.gif

Choose one anti-virus from below:

AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here

Choose one firewall from below:

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

While there are other options, I have used all of the above at some time or another and managed to get on with them.

Please note that installing more than one AV or firewall at the same time can result in conflictions giving less, not more, protection - it's a no-no, so don't do it.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:24 AM

Posted 19 July 2010 - 03:13 PM

AS this issue appears, in some small way, to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users