Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Security Tool


  • This topic is locked This topic is locked
2 replies to this topic

#1 ddibowski

ddibowski

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 18 November 2010 - 04:41 PM

This is a continuation of the topic found at http://www.bleepingcomputer.com/forums/topic360988.html/page__p__2020563__hl__security+tool__fromsearch__1#entry2020563

My computer has been infected by the Security Tool vireus. I tried to use the Security Tool Removal guide but had problems described in the topic reference by the link above. I am using the Prep Guide to capture the logs you need.

I tried to run the dds.scr booting up normally. I got a message from Security Tool saying - "DDS.SCR is infected with virsu.dos.PM.733. The worm is trying to send your credit card details is using dds.scr to connect to remote host."

So I was not able to run this program. I downloaded GMER. I was a little confused because there are two links there. I downloaded both to my desktop. I can see they are the same size so I think they are the same program.

I executed the one from "GMER Download Link 1". It gave me a similar message - "WINZIP.exe is infected with virsu.dos.mini.60.a. The worm is trying to send your credit card details is using WINZIP.exe to connect to remote host."

I executed the one from "GMER Download Link 2". It gave me a similar message - "WINZIP.exe is infected with TROJAN-PSW.WIN32.LDPINCH.rm. The worm is trying to send your credit card details is using WINZIP.exe to connect to remote host."

I also am noticing I am not able to run Microsoft software when booted normally. Security Tool gives me similar messages when I tried to use Notepad, Word or Outlook Express.

Working with the Security Tool Removal Guide (from the other topic referenced above) - it had me boot the computer in safe mode. And I noticed in safe mode the Security Tool software was not causing any problems. So I decided to run the scans in safe mode. Hopefully this will give you the info you need to solve my problem I do realize this may not be the case though.

Here is the results of the dds.scr in safe mode:

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by Owner at 13:41:00.15 on Thu 11/18/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1749 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://broadband.zoomtown.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRunOnce: [6240168] "c:\docume~1\owner\locals~1\applic~1\6240168.exe" 0 49
uRunOnce: [1440359] "c:\docume~1\owner\locals~1\applic~1\1440359.exe" 0 20
uRunOnce: [997290] "c:\docume~1\owner\locals~1\applic~1\997290.exe" 0 43
uRunOnce: [540631247] "c:\docume~1\owner\locals~1\applic~1\540631247.exe" 0 40
uRunOnce: [659151378] "c:\docume~1\owner\locals~1\applic~1\659151378.exe" 0 49
uRunOnce: [727560645] "c:\docume~1\owner\locals~1\applic~1\727560645.exe" 0 37
uRunOnce: [441385] "c:\docume~1\owner\locals~1\applic~1\441385.exe" 0 50
uRunOnce: [0427373] "c:\docume~1\owner\locals~1\applic~1\0427373.exe" 0 28
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [81933933] c:\docume~1\alluse~1\applic~1\81933933\81933933.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mExplorerRun: [wininet.dll]
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Image Zone Fast Start.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bigeast.org\www
Trusted Zone: edwardjones.com\accountlink
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239728053218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38212.7065509259
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {A2D9D3F0-8C2A-2A1D-A376-1BECFB10AB72} - No File
LSA: Notification Packages = scecli scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-6 532224]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-11-16 18:22:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 18:21:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 22:52:50 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\6240168.exe
2010-11-15 22:51:34 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\0427373.exe
2010-11-15 22:50:52 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\6529143651.exe
2010-11-15 22:50:33 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\441385.exe
2010-11-15 22:50:21 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\659151378.exe
2010-11-15 22:50:08 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\727560645.exe
2010-11-15 22:49:56 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\540631247.exe
2010-11-15 22:49:38 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\1440359.exe
2010-11-15 22:49:23 1016320 ----a-w- c:\docume~1\owner\locals~1\applic~1\997290.exe
2010-11-03 18:19:55 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-11-03 18:18:50 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-03 18:16:50 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-03 18:16:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-03 17:55:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2009-09-30 23:13:18 17433 ----a-w- c:\program files\common files\nacihamy.bat
2009-09-30 23:13:18 17415 ----a-w- c:\program files\common files\ihozabaho.dll
2009-09-27 19:42:22 14363 ----a-w- c:\program files\common files\yletonujik.pif

============= FINISH: 13:42:38.06 ===============

I have attached a copy of the attach.txt.

In safe mode my screen resolution is very large so it was difficult to work with the gmer software. I did not have a verticle scroll bar and could not position the window to expose the Save button. I could barely click Scan. The document ark_txt.doc is screen shots using the imbedded scrool bars that shows the messages that appeared in the result window. Hopefully you can look at the positioning of the scroll bars to see the lines it produced. I realize too a real save may save more than this but hopefully you can get what is needed from this.

If there is anything else I can provide let me know.

Thank you for you help.

Don

Attached Files



BC AdBot (Login to Remove)

 


#2 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 22 November 2010 - 11:35 AM

This is no longer a problem on this PC.

I did not purposely make any changes to my PC but I think what happened was the AVG Virus protection was set to automatically update the PC. The morning after I posted this, the problem was gone. My guess is they have something that was downloaded and automatically removed the problem.

Sorry if you spent any time on this. Thanks you for what you do.

ddibowski

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 PM

Posted 22 November 2010 - 04:12 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users