Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Microsoft Security Malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 Lockheed87

Lockheed87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Holloman AFB, NM
  • Local time:09:40 AM

Posted 25 September 2010 - 08:12 AM

So far I have attempted to install/run Malwarebytes more times than I can remember, along with two other recommended software programs I founf on bleepingcomputer.com. If I install the program and attempt to update it I get the "blue screen of death", just running the program results in the program crashing 1-3 seconds into the scan. Typically after a crash I have to remove the software and reinstall it after it crashes just to open the .exe again, unless i use the power button trick(explained later) .The Rkill.exe/explore.exe version will not terminate anything, I usually have to press the power button to do a force shutdown, than run rkill to terminate the process. When I do that I can actually open up the internet and attempt to run things. Most of the time I get a message saying the task is disabled by the admin. All the same applies to safe mode... This is a rather nasty issue, I can't seem to hunt it down



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jessica Rodriguez at 6:51:18.51 on Sat 09/25/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1618 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\debug.exe
C:\WINDOWS\mdm.exe
C:\WINDOWS\hexdump.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\debug.exe
C:\WINDOWS\mdm.exe
C:\WINDOWS\hexdump.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
"C:\WINDOWS\System32\svchost.exe"
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080513
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://search.bearshare.com/sidebar.html?src=ssb
uURLSearchHooks: H - No File
uWinlogon: Shell=c:\documents and settings\jessica rodriguez\application data\hotfix.exe
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\program files\bearsharetb\BearShareDx.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\jessica rodriguez\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Bdurikehadeh] rundll32.exe "c:\windows\dlsvclen.dll",Startup
uRun: [uPc+MV0NK+Jsiv] rundll32.exe c:\windows\system32\d2608.dll, SystemServer
uRun: [HNUNOOXRnPuc] c:\docume~1\jessic~1\locals~1\temp\d1o6hdjtv.exe
uRun: [HNUNOOXRouqc] c:\docume~1\jessic~1\locals~1\temp\iexplarer.exe
uRun: [HNUNOOXRrg] c:\docume~1\jessic~1\locals~1\temp\smss.exe
uRun: [MKfsc] c:\windows\winlogon.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [HNUNOOXRouqc(Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] c:\docume~1\jessic~1\locals~1\temp\iexplarer.exe
uRun: [MKaoc] c:\windows\debug.exe
uRun: [MKcZ] c:\windows\mdm.exe
uRun: [MKbtc] c:\windows\hexdump.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [EarthLink Installer] " /C
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [yxxa.exe] "c:\docume~1\jessic~1\locals~1\temp\yxxa.exe"
mRun: [uPc+MV0NK+Jsiv] rundll32.exe c:\windows\system32\d2608.dll, SystemServer
mRun: [HNUNOOXRnPuc] c:\docume~1\jessic~1\locals~1\temp\d1o6hdjtv.exe
mRun: [HNUNOOXRouqc] c:\docume~1\jessic~1\locals~1\temp\iexplarer.exe
mRun: [HNUNOOXRrg] c:\docume~1\jessic~1\locals~1\temp\smss.exe
mRun: [MKfsc] c:\windows\winlogon.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [Stuzes] rundll32.exe "c:\windows\ebiranoh.dll",Startup
mRun: [HNUNOOXRouqc(Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3] c:\docume~1\jessic~1\locals~1\temp\iexplarer.exe
mRun: [MKaoc] c:\windows\debug.exe
mRun: [MKcZ] c:\windows\mdm.exe
mRun: [MKbtc] c:\windows\hexdump.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SwUpdate - {003541A1-3BC0-1B1C-AAF3-040114001C01} - c:\documents and settings\all users\application data\macromedia\swupdate\swupdate.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-5-13 105984]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [2004-8-10 12800]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 Wyeke Service;Wyeke Service;c:\documents and settings\all users\application data\wyeke\wyeke157.exe [2010-5-27 61688]

=============== Created Last 30 ================

2010-09-25 12:46:51 0 d-----w- c:\docume~1\jessic~1\applic~1\B765F0A64AC4CC94B80CBBC3A08C6D98
2010-09-25 12:07:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-25 12:07:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-25 12:07:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-25 11:36:58 0 d-----w- c:\program files\AVG
2010-09-25 11:36:37 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-09-25 11:13:44 0 d-----w- c:\docume~1\jessic~1\applic~1\SUPERAntiSpyware.com
2010-09-25 11:13:44 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-25 11:13:38 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-25 06:06:24 0 d--h--w- c:\windows\PIF
2010-09-25 02:50:57 0 d-----w- c:\program files\Enigma Software Group
2010-09-25 02:50:43 0 d-----w- c:\windows\CED3DF1E01D145ADBF3364AE5E8843B8.TMP
2010-09-25 02:50:40 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-09-25 02:07:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-25 02:03:53 0 d-----w- c:\docume~1\jessic~1\applic~1\Malwarebytes
2010-09-24 23:26:17 21636 ---h--w- c:\windows\taskmgr.exe
2010-09-24 23:26:16 21636 ---h--w- c:\windows\hexdump.exe
2010-09-24 23:26:16 21636 ---h--w- c:\windows\debug.exe
2010-09-24 23:26:15 21636 ---h--w- c:\windows\mdm.exe
2010-09-24 23:19:14 120 ----a-w- c:\windows\Qtusaguhey.dat
2010-09-24 23:19:14 0 ----a-w- c:\windows\Hpeduw.bin
2010-09-24 23:17:54 60004 ---h--w- c:\windows\setup.exe
2010-09-24 23:17:52 60004 ---h--w- c:\windows\winlogon.exe
2010-09-24 23:17:47 30000 ----a-w- c:\windows\system32\k9969cxis2.dll
2010-09-24 23:17:47 30000 ----a-w- c:\windows\system32\d2608.dll
2010-09-24 23:17:32 652288 ----a-w- c:\docume~1\jessic~1\applic~1\hotfix.exe
2010-09-24 23:17:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-24 23:17:17 0 ----a-w- c:\windows\system32\drivers\hadvir.sys
2010-09-24 23:17:07 0 d-----w- c:\docume~1\jessic~1\applic~1\B8C316057B1F66B25857ECC8E5298211
2010-09-24 17:47:58 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-20 13:28:30 175 ----a-w- c:\windows\system32\MRT.INI
2010-09-19 07:51:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-09-19 07:51:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-09-15 01:55:07 0 d-----w- c:\documents and settings\jessica rodriguez\PrivacIE
2010-09-15 01:53:13 0 d-----w- c:\documents and settings\jessica rodriguez\IETldCache
2010-09-15 01:49:16 0 dc----w- c:\windows\ie8
2010-09-10 21:11:50 1564868 ----a-w- c:\windows\system32\WINSP.MB
2010-09-10 21:11:45 1783864 ----a-w- c:\windows\system32\WINPY.MB
2010-09-10 21:11:44 83748 ----a-w- c:\windows\system32\prcp.nls
2010-09-10 21:11:44 83748 ----a-w- c:\windows\system32\dllcache\prcp.nls
2010-09-10 21:11:43 83748 ----a-w- c:\windows\system32\prc.nls
2010-09-10 21:11:43 83748 ----a-w- c:\windows\system32\dllcache\prc.nls
2010-09-10 21:11:43 173602 ----a-w- c:\windows\system32\dllcache\c_10008.nls
2010-09-10 21:11:43 173602 ----a-w- c:\windows\system32\c_10008.nls

==================== Find3M ====================

2010-09-25 06:21:17 6294 ----a-w- c:\docume~1\jessic~1\applic~1\wklnhst.dat

============= FINISH: 6:51:58.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:40 AM

Posted 25 September 2010 - 09:40 AM

Hello Lockheed87 ,



Yes, some pretty nasty stuff there. Forget what you've already done, MBAM, etc.....we need to shake that rootkit loose and get rid of the other baddies I see there. One of them looks to be a backdoor trojan, so if you have any sensitive data on your computer, such as banking information, you might consider a reformat and reinstall of the system to ensure the security of your computer. At the very least you should change all your passwords and keep an eye on any bank account and such for any nefarious activity.

A couple of things......no AntiVirus program?? AND you're running a notorious nasty P2P program, BearShare. It's no wonder you're infected like this! dry.gif

If you wish to clean this, then please do the following :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Lockheed.exe and try again.

After that, get an AntiVirus on there : AVG, Avira OR Avast are good FREE antivirus. I use Avira myself. Then please run DDS again so I can see what's left, and let me know how it's running.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Lockheed87

Lockheed87
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Holloman AFB, NM
  • Local time:09:40 AM

Posted 25 September 2010 - 04:52 PM

I ran the combo fix file and the log is uploaded to the post. Bear share was "deleted" from this laptop about 8-9 months ago, I told my fiance to not mess with any p2p programs and she says she hasn't. I put Vipre antivirus on her laptop and up until this it has been snagging up everything. Yesterday I was running a full system scan after I had got off work, about noon I couldn't stay awake anymore so I went up stairs and crashed. I woke up about 5 hours later and she told me the anti virus found 15 issues, I come down stairs to check out the infected files and see antivirus 2010.... Right away I new malware was letting loose on the laptop. The weird thing was seeing that Vipre was completely gone from the installed programs list, but the file was still present on the HDD. Stepped in some real nasty crap

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:40 AM

Posted 25 September 2010 - 07:45 PM

Hello,

Okay......well, the ComboFix log does tell a better story, and close to what you just told me. In any case, it should be running better now that the rootkit is gone. See if you can update MBAM and have a scan with it now. You may need to uninstall it and try it fresh again, since it was hindered by the malware before. Post that report in your reply, as well as a new DDS log. There are still some things to remove, but I'd like a more accurate picture so we can get it all in one go. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:40 AM

Posted 12 October 2010 - 11:42 AM


Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users