Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defense Center keeps re-attacking computer after removal. With every attack harder to remove


  • This topic is locked This topic is locked
2 replies to this topic

#1 eric123123123

eric123123123

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 30 July 2010 - 02:55 AM

Ok. So i got the defense center virus recently and was able to easily remove it with MBAM. however, after removal, my computer would get symptoms of virus )google search results redirecting, random internet windows popping up) then defense center would just come right back after a few days of that. And it seems that it gets harder to remove it with each and every attack,for example the most recent defense center attack was really hard to remove (and it seems that they get harder everytime an attack happens again.) When i tried to run mbam and superantispyware in safemode for example, it gave me an error ( i forgot what it said) and it also prevented me from going to malwarebytes.org or superantispyware's website (but i was able to visit the sites on an uninfected computer, so i know its not because their servers are down)so i had to reinstall from cnet. It also prevented malwarebytes from updating after i downloaded it. I finally removed it by reinstalling Superantispyware and miracously it passed thru a loophole and was able to remove it. But now the same pattern (as i had described before) of random websites coming up is back again, and i fear in the next few days defense center is gonna come back and this time prevent superantispyware from deleting it. Please save me from this repeated attacks its really killing my comps performance and is really killing me. Any help would be appreciated thanks!
Fellow moderator Orange Blossom had told me to post logs and follow some steps, which i did. I couldnt get a gmer log as everytime i ran that thing my computer got the blue screen of death and crashes. However, while GMER was running, i did see some rootkid host intrusion things or whatever and it detected alot of stuff. But then the comp crashes.Anyway to prevent GMER crashing? because i believe it has alot of info that could be helpful in my case. However, the dds log is here:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Michelle at 3:42:00.18 on Fri 07/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.514 [GMT -4:00]
AV: Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Free Ride Games\GPlayer.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\igfxext.exe
C:\Documents and Settings\Michelle\Desktop\Defogger.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUTrayNotifier.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.bigseekpro.com/hypercam/{40221076-25AC-454F-AD2A-BFC092496CA8}
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hypercam toolbar\tbcore3.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hypercam toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\michelle\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [yjtmfeea] c:\documents and settings\networkservice\local settings\application data\csrncickh\jisgtectssd.exe
mRun: [gyfdglco] c:\documents and settings\networkservice\local settings\application data\tuvkdwgab\jwxiyhotssd.exe
mRun: [xpmlchxb] c:\documents and settings\networkservice\local settings\application data\fomvrvimw\vcrgdqptssd.exe
mRun: [odvrlpxf] c:\documents and settings\networkservice\local settings\application data\crasrblto\vytvrnwtssd.exe
mRun: [nwxqqnyv] c:\documents and settings\networkservice\local settings\application data\afhykdvwb\ayocnnjtssd.exe
mRun: [kloolhmq] c:\documents and settings\networkservice\local settings\application data\jjjpulhrs\asbwigqtssd.exe
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
dRun: [cyvemjll] c:\documents and settings\networkservice\local settings\application data\fslmodoqx\bvrteattssd.exe
dRun: [flxrocmu] c:\documents and settings\networkservice\local settings\application data\qeqtvhqjp\xsgjfoytssd.exe
dRun: [ivibgacf] c:\documents and settings\networkservice\local settings\application data\swcumlqei\ljqfxsjtssd.exe
dRun: [yjtmfeea] c:\documents and settings\networkservice\local settings\application data\csrncickh\jisgtectssd.exe
dRun: [gyfdglco] c:\documents and settings\networkservice\local settings\application data\tuvkdwgab\jwxiyhotssd.exe
dRun: [xpmlchxb] c:\documents and settings\networkservice\local settings\application data\fomvrvimw\vcrgdqptssd.exe
dRun: [odvrlpxf] c:\documents and settings\networkservice\local settings\application data\crasrblto\vytvrnwtssd.exe
dRun: [nwxqqnyv] c:\documents and settings\networkservice\local settings\application data\afhykdvwb\ayocnnjtssd.exe
dRun: [kloolhmq] c:\documents and settings\networkservice\local settings\application data\jjjpulhrs\asbwigqtssd.exe
dRun: [Crimeqepij] rundll32.exe "c:\windows\dpvif3da.dll",Startup
dRunOnce: [19501] "c:\docume~1\networ~1\locals~1\applic~1\19501.exe" 0 22
dRunOnce: [64063] "c:\docume~1\networ~1\locals~1\applic~1\64063.exe" 0 38
StartupFolder: c:\docume~1\michelle\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 93.188.162.121,93.188.161.211
TCP: {584332BB-FF89-433C-808D-B481E950FF90} = 93.188.162.121,93.188.161.211
TCP: {8FB94F09-2694-42A8-B16C-C87D76C4979B} = 93.188.162.121,93.188.161.211
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-1 214664]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2010-2-9 58464]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-4-1 4300]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-1 144704]
R2 X4HSEx;X4HSEx;c:\program files\free ride games\X4HSEx.sys [2010-5-31 56352]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-1 35272]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2009-4-1 238464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2010-2-9 98304]
S2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2006-6-8 29184]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-1 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-1 40552]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-8-1 19840]
S4 diklatg;diklatg;c:\windows\system32\drivers\kuuhrv.sys [2010-7-12 54016]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-1 606736]
=============== Created Last 30 ================
2010-07-30 07:01:15 0 ----a-w- c:\documents and settings\michelle\defogger_reenable
2010-07-30 05:55:26 0 d-----w- c:\docume~1\michelle\applic~1\SUPERAntiSpyware.com
2010-07-30 05:13:22 1155 ----a-w- c:\docume~1\alluse~1\applic~1\pragmamfeklnmal.dll
2010-07-30 04:40:07 0 d-----w- c:\program files\AnVi
2010-07-27 20:44:45 1024 ----a-w- c:\windows\system32\file.exe
2010-07-14 16:24:14 0 d-----w- C:\ManyCam
2010-07-13 01:47:25 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-12 23:07:29 54016 ----a-w- c:\windows\system32\drivers\kuuhrv.sys
2010-07-12 14:58:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 14:58:17 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-10 14:19:24 0 d-----w- c:\docume~1\alluse~1\applic~1\NexonUS
2010-07-09 22:56:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-09 04:18:11 49262 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-07-09 04:18:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-07-08 23:42:44 126976 --sha-r- c:\windows\system32\igxpunn.dll
2010-07-06 01:13:40 0 ----a-w- c:\program files\extra1.dat
2010-07-04 22:56:34 0 d-----w- C:\PICTURES
2010-07-04 22:38:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-04 22:38:30 159232 ----a-w- c:\windows\system32\ptpusd.dll
==================== Find3M ====================
2010-05-17 00:21:50 53314 ------w- c:\windows\ExentInfo.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 3:44:21.21 ===============
Thanks for the help really appreciated. I am begging for help since my last comp got completely ripped apart by viruses and i dont want the same to happen with this one.
PS i will not be able to go online for a week and respond or anything. Right now is 3:50 AM and i have to move to a new house at 9 in the morning and wont have internet access there for at least a week. If i dont respond that doesnt mean i ditched the thread! Its cause i am unable to. Please do let me bump this thread after i come back. Many thanks!!


Edited by Budapest, 05 August 2010 - 10:44 PM.
Bump Removed ~BP


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:05 AM

Posted 07 August 2010 - 08:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:05 AM

Posted 12 August 2010 - 05:59 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users