Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus and Root kit :(


  • This topic is locked This topic is locked
4 replies to this topic

#1 kwceliak

kwceliak

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 23 April 2011 - 11:52 AM

Hello,
Thanks for reading my post :) My home PC has recently been infected with at least one nasty virus which is wreaking havoc. In the beginning I believe it was just the Fake Microsoft Security Essentials virus (when I click on the icon in my status bar it opens a window prompting me to purchase something that I know is not legit). I made attempts to remove it on my own but it kept coming back.

It’s now 4 weeks later and I'm still battling with the virus, which has become much worse. Whenever I open an internet browser (IE, google chrome, firefox) it will either (A) shut down for no apparent reason; or [B] I'll get an error message saying the website cannot be opened; or [C] my google homepage is redirected to some crazy weird website that I have never seen before. There are other symptoms such as folders on my hard drive not displaying contents and I'm still getting constant error messages from my status bar.

If you need specific wording for any of the error messages I receive please let me know – I keep my PC shut down for now because it annoys the crap out of me but if required I can definitely get more details for you. My DDS files are below and attached as instructed. Any help or suggestions would be GREATLY appreciated. Thanks in advance!!!


System: MS Windows XP Professional
Version 2002
Service Pack 3



.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 11:12:28.81 on 22/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.511.117 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {D351B063-D519-4278-9704-D38FF72EA486}
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\JDF7FE.EXE
C:\OfficeScan NT\CNTAoSMgr.exe
E:\Anit-Virus Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [EPSON NX420 Series] "c:\windows\system32\spool\drivers\w32x86\3\e_fatigca.exe" /fu "c:\windows\temp\E_SF6.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\epsona~1.lnk - r:\common\epsonreg\EpsonReg.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://ourbrampton.brampton.ca/InternalSite/WhlCompMgr.cab
DPF: {909A35CA-61DC-4437-887E-30ED6D89F6C8} - hxxp://www.cpa-exam.org/AICPATutorial/install/General.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4C9E474-9A6C-4FBF-B13A-4BE2BDD34FD5} - hxxp://www.cpa-exam.org/AICPATutorial/install/AICPAViewerIL.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.8.2 nt_server mailserver
Hosts: 192.168.5.2 nova
Hosts: 192.168.5.3 main
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\agfwp8bm.default\
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl3e7982bb;MpKsl3e7982bb;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1d4d9fa6-2e47-49a6-afbb-e7de09dfd91e}\MpKsl3e7982bb.sys [2011-4-22 28752]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-12-28 47640]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2011-4-3 45072]
R2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2004-3-30 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2004-3-30 36368]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\microsoft forefront uag\endpoint components\3.1.0\uagqecsvc.exe [2010-12-20 150928]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-4-3 3899008]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-4-3 3251928]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2004-6-15 315408]
S1 MpKsl7b1f1118;MpKsl7b1f1118;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cb323c2-efbd-4ad0-bfe5-b42a9867cdcf}\mpksl7b1f1118.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5cb323c2-efbd-4ad0-bfe5-b42a9867cdcf}\MpKsl7b1f1118.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [2005-6-27 4224]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\windows\downlo~1\DMService.exe [2010-12-20 468368]
S3 TmPfw;OfficeScanNT Personal Firewall;c:\officescan nt\TmPfw.exe [2008-3-25 939344]
S3 TmProxy;OfficeScan NT Proxy Service;c:\officescan nt\TmProxy.exe [2008-3-25 558416]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-6 135664]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-04-22 15:00:44 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{1d4d9fa6-2e47-49a6-afbb-e7de09dfd91e}\MpKsl3e7982bb.sys
2011-04-19 00:58:13 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{1d4d9fa6-2e47-49a6-afbb-e7de09dfd91e}\mpengine.dll
2011-04-05 22:04:58 -------- d-----w- c:\program files\common files\Symantec Shared
2011-04-05 22:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-04-05 22:03:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2011-04-05 01:59:13 -------- d-----w- c:\windows\system32\Adobe
2011-04-03 20:07:31 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-04-03 20:07:31 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-04-03 20:07:31 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-04-03 20:02:49 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{3140EA8C-7399-4EC4-819C-16996F38FCFC}
2011-04-03 20:01:59 -------- d-----w- c:\program files\Webroot
2011-04-03 20:01:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2011-04-03 20:01:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PackageAware
2011-03-30 02:11:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-03-28 22:02:18 215920 ----a-w- c:\windows\system32\muweb.dll
2011-03-28 22:02:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-03-28 22:02:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-03-27 14:38:54 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-27 14:36:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-27 14:30:05 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-26 22:54:44 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-03-26 22:54:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 22:54:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-26 22:54:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 11:16:24.21 ===============

Attached Files


Edited by kwceliak, 23 April 2011 - 12:14 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:28 AM

Posted 29 April 2011 - 12:59 PM

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 kwceliak

kwceliak
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 29 April 2011 - 05:05 PM

Hi Sempai,

No worries, I think I have nipped the problem in the bud. But thanks for your reply :)

Take care,

Karen

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:28 AM

Posted 29 April 2011 - 11:56 PM

Thank you for letting us know. :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:28 AM

Posted 29 April 2011 - 11:56 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users