Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Failed to remove OpenCloud Security


  • This topic is locked This topic is locked
2 replies to this topic

#1 Robin888

Robin888

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 September 2011 - 11:49 PM

I've been combating the OpenCloud Security malware for two consecutive nights but have so far frustratingly failed. Below is the symtoms and what I have tried.

My system:

32-bit, Windows 7, Internet Explorer. Microsoft Forefront.

Symptoms:

A fake infection window pops up as soon as Windows is open and stays there for ever. My regulare spyware defenders, including Microsoft Forefront and Adware are invalidated. When I tried to remove the malware, none of the killing procedures could go through. Besides, even under "Safe Mode with networking", my Internet Explorer links sometimes were redirected to nonsense ads pages. I could not find any track of the malware from locations where those files were supposed to be.

What I have tried:

I tried some online scans like McAfee online scan which did not go through. I tried to use spyware killers like Spyware Doctor and Malwarebytes but none could go through either. I tried to use renamed Hijackthis to at least remove some files, but it was stopped in seconds by the Malware and could not be accessed any more.

Then I found Bleeping Computer.com and strictly followed the removal procedure posted by Grinler on Sept 3, 2011. RKill seemed to have worked fine (it took very short time, though), but Malwarebytes was shut down a few seconds after being started apparently by the malware, and then cannot be accessed any more. Error information "Windows cannot access the specified device,path or file. You may not have the appropriate permissions to access the item." Tried to run the Malwarebytes from a memory stick and failed the same. By the way, my LAN setting of proxy server was unchecked in the first place.

Also, I found my Windows Firewall was not using the recommended settings but I could not reset it. Error 0x8007042c is given. The reason, according to my research, is probably due to Windows Firewall Authorization Drive service is not started. But this problem was NOT solved because the procedure recommended by a poster did not go through, which according to him, is an indication of corrupted files or malware.

Tried to run the GMER (after running DDS) and save information about rootkits but it again was shut down about one minute later and couldn't be accessed any more. So I do not have the ARK log.

The only successful attempt so far is I got the DDS log and Attach log which I paste at the end of this post ( I also attach the Attach.txt as an extra document.)

Apparently the latest version of OpenCloud Security malware has gained some ability to hide it better and proactively act against potential removal attempts. And a solution is in urgent need. Please help.


DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.5.0_12
Run by ww at 22:48:00 on 2011-09-28
Microsoft Windows 7 Professional 6.1.7601.1.936.86.1033.18.3016.2220 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\1678125325:4074174875.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://w2.uno.edu/facultystaff.aspx
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:28091
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.0\PriceGongIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: adfabonppr Object: {26d02f99-ae5b-4533-ad67-e23b4b20d60d} - c:\windows\$blstun$\qgnnv.dll
BHO: Fast Search: {5ab7104a-b71f-49ad-9154-f7f8806ae848} - c:\program files\surf canyon\surfcanyon.dll
BHO: brumabonpgrm Object: {795f4311-02c9-4b7b-a9bb-78d4fe68a98d} - c:\windows\$blstun$\lmatn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: MinibarBHO: {aa74d58f-acd0-450d-a85e-6c04b171c044} - c:\program files\minibar\Kango.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Minibar: {d6598005-a921-4f83-b6e6-f4f030d1bf37} - c:\program files\minibar\Kango.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PPS Accelerator] q:\pps.tv\ppstream\ppsap.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [PL8gRZqhYwUeOt8234A] c:\windows\system32\fcS1ivD3oFaHsJd.exe
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [YTYuWibiySyhLX.exe] c:\programdata\YTYuWibiySyhLX.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: ssrn.com\hq
Trusted Zone: ssrn.com\papers
Trusted Zone: ssrn.com\secure
Trusted Zone: ssrn.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {9FAFB576-6933-4CCC-AB3D-B988EC43D04E} - hxxp://rsdownload.rising.com.cn/rs2010/online/ravolctl.cab
DPF: {A849E2DF-E0E3-4EB7-ACF4-403807D90000} - hxxp://www.pc120.com/scan/pc120/installer.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cntv.cn/ieocx/CCTVUpdateInstall.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.77.2.11 207.200.7.21 68.105.28.12
TCP: Interfaces\{63AE60CF-A650-41F5-842C-D8102565CFED} : DhcpNameServer = 208.77.2.11 207.200.7.21 68.105.28.12
TCP: Interfaces\{63AE60CF-A650-41F5-842C-D8102565CFED}\34F6D666F62747F51405F55364C4 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{63AE60CF-A650-41F5-842C-D8102565CFED}\4484 : DhcpNameServer = 68.105.28.17 68.105.29.17
TCP: Interfaces\{63AE60CF-A650-41F5-842C-D8102565CFED}\C414E4F49414F564255454F575946494 : DhcpNameServer = 172.16.148.1 205.152.132.23 205.152.37.23
TCP: Interfaces\{63AE60CF-A650-41F5-842C-D8102565CFED}\C416155796E64716 : DhcpNameServer = 4.2.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-22 64512]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-9-28 67584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-7-20 16896]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-3-24 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-24 133104]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-11-23 71424]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-7 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-13 1343400]
SUnknown sdCoreService;sdCoreService; [x]
.
=============== Created Last 30 ================
.
2011-09-29 03:06:49 -------- d-----w- c:\users\ww\appdata\local\Safe mirror
2011-09-29 03:05:33 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-29 02:19:03 -------- d-----w- c:\programdata\PCPitstop
2011-09-29 02:16:53 -------- d-----w- c:\program files\PCPitstop
2011-09-29 02:03:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-29 02:02:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-28 04:14:04 2456064 ----a-w- c:\windows\system32\UzzzPNNyxA1uS2.exe
2011-09-28 03:57:04 -------- d-----w- c:\users\ww\appdata\roaming\XrrzPNyxA1vSoFp
2011-09-28 03:57:04 -------- d-----w- c:\users\ww\appdata\roaming\W99hhXXjU
2011-09-28 03:42:44 -------- d-----w- c:\program files\kingsoft
2011-09-28 03:30:30 -------- d-----w- c:\program files\Rising
2011-09-28 02:24:00 -------- d-----w- c:\users\ww\appdata\roaming\rRL9gTXqjCkVzNx
2011-09-28 02:24:00 -------- d-----w- c:\users\ww\appdata\roaming\A2ibD3pnGaHsKfL
2011-09-28 01:34:21 -------- d-----w- c:\users\ww\appdata\roaming\PC Tools
2011-09-28 01:34:21 -------- d-----w- c:\program files\Spyware Doctor
2011-09-28 01:34:21 -------- d-----w- c:\program files\common files\PC Tools
2011-09-27 22:41:12 2463744 ----a-w- c:\windows\system32\fcS1ivD3oFaHsJd.exe
2011-09-27 18:34:47 -------- d-----w- c:\program files\Minibar
2011-09-27 18:34:42 -------- d-----w- c:\programdata\Babylon
2011-09-27 18:34:35 -------- d-----w- c:\program files\FaceSmooch Smileys
2011-09-27 18:34:19 73728 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\978EDE7.tmp
2011-09-27 18:34:19 120832 ----a-w- c:\windows\system32\drivers\136EDF8.sys
2011-09-27 18:34:14 -------- d-----w- c:\program files\Surf Canyon
2011-09-27 18:34:13 -------- d-----w- c:\program files\PriceGong
2011-09-27 18:33:53 -------- d-----w- c:\windows\$BLSTUN$
2011-09-27 18:32:47 506368 ----a-w- c:\programdata\YTYuWibiySyhLX.exe
2011-09-26 13:45:26 56200 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{1ca2aa94-3dc8-4d36-8b65-b1ecb5e51f77}\offreg.dll
2011-09-26 13:45:23 7269712 ------w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{1ca2aa94-3dc8-4d36-8b65-b1ecb5e51f77}\mpengine.dll
2011-09-22 19:08:03 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-22 19:07:55 -------- d-----w- c:\program files\Lavasoft
2011-09-20 15:09:32 -------- d-----w- c:\users\ww\appdata\local\{3CB21EC9-56E9-496E-9574-168BA5C74A31}
2011-09-08 03:51:09 -------- d-----w- c:\users\ww\appdata\local\Apple Computer
.
==================== Find3M ====================
.
2011-08-01 02:10:26 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 22:31:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 04:29:46 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-01 04:23:15 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.
============= FINISH: 22:50:21.79 ===============




Attach log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/23/2009 9:05:40 AM
System Uptime: 9/28/2011 8:51:20 PM (2 hours ago)
.
Motherboard: LENOVO | | 2714CTO
Processor: Intel® Core™2 Duo CPU T9400 @ 2.53GHz | None | 2527/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 30.789 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 466 GiB total, 252.368 GiB free.
Q: is FIXED (NTFS) - 10 GiB total, 4.194 GiB free.
S: is FIXED (NTFS) - 1 GiB total, 0.688 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_2A44&SUBSYS_20E617AA&REV_07\3&33FD14CA&0&18
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_2A44&SUBSYS_20E617AA&REV_07\3&33FD14CA&0&18
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Windows Firewall Authorization Driver
Device ID: ROOT\LEGACY_MPSDRV\0000
Manufacturer:
Name: Windows Firewall Authorization Driver
PNP Device ID: ROOT\LEGACY_MPSDRV\0000
Service: mpsdrv
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_20CA17AA&REV_11\4&1E9DBD12&0&04F0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_20CA17AA&REV_11\4&1E9DBD12&0&04F0
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_20C917AA&REV_11\4&1E9DBD12&0&03F0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_20C917AA&REV_11\4&1E9DBD12&0&03F0
Service:
.
==== System Restore Points ===================
.
RP761: 9/25/2011 8:37:47 PM - Microsoft Forefront Client Security Checkpoint
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.5
Cobian Backup 10
D3DX10
Fast Search by Surf Canyon
Foxit PDF Editor
Foxit PDF IFilter
Foxit Reader
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
J2SE Runtime Environment 5.0 Update 12
Java™ 6 Update 17
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Forefront Client Security Antimalware Service
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
MSVCRT
OGA Notifier 2.0.0048.0
Picasa 3
PPS影音 V2.7.0.1246 正式版
PriceGong 2.5.0
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
SAS 9.2
SAS 9.2 Formats Library for Teradata
SAS Drivers for ODBC
SAS OnlineDoc 9.2 for Windows
SAS Power and Sample Size 3.1
SAS Simulation Studio 1.2
SAS SQL Library for C 9.2
SAS Stat Studio 3.1
SAS Universal Viewer 1.0
SAS VJR
SAS XML Mapper 9.2
SAS/GRAPH NV Workshop 2.1
SAS/GRAPH ODS Graphics Editor 9.2
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spelling Dictionaries Support For Adobe Reader 9
SSH Secure Shell
Talul-Ads Browser Enhancer
ThinkPad Power Management Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2553110)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinEdt 6
WinRAR archiver
光大证券网上行情
谷歌拼音输入法 2.3
.
==== Event Viewer Messages From Past Week ========
.
9/28/2011 9:05:50 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
9/28/2011 8:52:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/28/2011 8:52:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/28/2011 8:52:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/28/2011 8:52:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/28/2011 8:51:51 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache PCTSD spldr Wanarpv6
9/28/2011 8:51:50 PM, Error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
9/28/2011 8:51:48 PM, Error: Service Control Manager [7000] - The Microsoft Forefront Client Security Antimalware Service service failed to start due to the following error: Access is denied.
9/28/2011 12:47:40 AM, Error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: Access is denied.
9/28/2011 10:44:14 PM, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Cannot create a file when that file already exists.
9/28/2011 10:35:34 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Cannot create a file when that file already exists.
9/28/2011 10:16:04 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
9/27/2011 9:58:20 PM, Error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
9/27/2011 9:58:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/27/2011 9:25:49 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
9/27/2011 8:50:57 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Forefront Client Security - KB977939 (Definition 1.113.359.0).
9/27/2011 8:45:08 AM, Error: Service Control Manager [7031] - The Microsoft Forefront Client Security Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
9/27/2011 8:38:29 PM, Error: Service Control Manager [7038] - The WinHttpAutoProxySvc service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
9/27/2011 8:38:29 PM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
9/27/2011 10:59:09 PM, Error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
9/27/2011 10:42:45 PM, Error: Service Control Manager [7030] - The Kingsoft Online Scan Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/27/2011 1:35:09 PM, Error: Service Control Manager [7000] - The UPnP Device Host service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
9/27/2011 1:35:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "776" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
9/23/2011 7:44:09 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
9/22/2011 3:04:09 PM, Error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon&threatid=2147583833 Scan ID: {94F0AB3C-CFD0-4695-96BC-9BFC7004CAFE} User: Blue\ww Name: Trojan:Win32/Alureon ID: 2147583833 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
9/22/2011 2:15:17 PM, Error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
9/22/2011 2:08:04 PM, Error: Service Control Manager [7000] - The Lbd service failed to start due to the following error: The system cannot find the file specified.
9/22/2011 10:42:34 PM, Error: volsnap [36] -
9/22/2011 1:58:11 PM, Error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon&threatid=2147583833 Scan ID: {B0F28FDB-B22B-4EE2-83C6-98931655DAF4} Scan Type: AntiMalware User: Blue\ww Name: Trojan:Win32/Alureon ID: 2147583833 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
9/22/2011 1:46:56 PM, Error: FCSAM [1008] - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon&threatid=2147583833 Scan ID: {B633926A-C127-4ECB-AADB-A04CC9EBBAAE} Scan Type: AntiMalware User: Blue\ww Name: Trojan:Win32/Alureon ID: 2147583833 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
9/22/2011 1:44:46 PM, Error: FCSAM [3006] - Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon&threatid=2147583833 Scan ID: {15589E21-F8AA-4C7B-80AB-DBCF6FCBE23D} User: Blue\ww Name: Trojan:Win32/Alureon ID: 2147583833 Severity: Severe Category: Trojan Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
.
==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 03 October 2011 - 11:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421009 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 PM

Posted 05 October 2011 - 10:13 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users