Jump to content

toshi73

Members
  • Posts

    2
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Several minutes ago, i posted this message in "General Malwarebytes' Anti-Malware Forum". so again i post here. i was infected by malware and when i logged in "system fix" window apeared. so i searched related information and found your post. http://www.bleepingc...move-system-fix i followed these instructions, found and deleted these infections. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWxuQkarbaeSd.exe (Trojan.FakeAlert) -> Value: YWxuQkarbaeSd.exe -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\application data\ywxuqkarbaesd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. and after that, when i loged in in normal mode, again system fix appeared on my window. so i stoped my machine immediately. and i loged in again in safe mode with network and tried to enable protection module on your anti-malware, but it only prompted "[startSearvice] Failed to perform desired action. Error Code: 1084". so again i googled and found your post. http://forums.malwar...showtopic=88179 so i downloaded DDS and got log files. please help me solve these problem. . DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 Run by Administrator at 18:17:16 on 2011-11-19 Microsoft Windows XP Professional 5.1.2600.3.932.81.1041.18.1214.537 [GMT 9:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMECMNT.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\conime.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Hidemaru\HIDEMARU.EXE . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.co.jp/index.html uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe" mRun: [Acronis Scheduler2 ƒT[ƒrƒX] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe mRun: [iME14 JPN Setup] c:\progra~1\common~1\micros~1\ime14\shared\IMEKLMG.EXE /SetPreload /JPN /Log mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sourcenext.SSS.Message] c:\program files\sourcenext\ƒ\[ƒxƒlƒnƒxƒg ƒaƒbƒvƒf[ƒg3\Message.exe mRun: [sourcenext.SSS.Statistics] c:\program files\sourcenext\ƒ\[ƒxƒlƒnƒxƒg ƒaƒbƒvƒf[ƒg3\Statistics.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [ctfmon.exe] ctfmon.exe StartupFolder: c:\docume~1\admini~1\ƒxƒ^[~1\ƒvƒƒo~1\ƒxƒ^[~1\gŠÛ.lnk - c:\program files\hidemaru\Hidemaru.exe IE: Google ƒTƒCƒhƒEƒBƒL... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - c:\progra~1\micros~2\office14\EXCEL.EXE/3000 IE: OneNote ‚É‘—‚é(&N) - c:\progra~1\micros~2\office14\ONBttnIE.dll/105 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll Trusted Zone: internet Trusted Zone: mcafee.com DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab DPF: {0725D9DE-4CB8-4BC3-8219-3E74C0D544F7} - hxxp://sample3.dmm.co.jp/downloader5/DMMDownloader.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {C7936030-390C-429E-9E90-F3984F5AD3BF} - hxxp://mini4wd.jp/CaveOnline.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{52863EEE-F445-450C-AC04-44F031F5EB27} : DhcpNameServer = 192.168.0.1 Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\d3m2m2yz.default\ FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll FF - plugin: c:\documents and settings\all users\application data\keyring\plugin\npkrplugin-1.0.0.dll FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll . ============= SERVICES / DRIVERS =============== . R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2010-2-9 902432] RUnknown mfehidk;mfehidk; [x] RUnknown mfetdi2k;mfetdi2k; [x] S2 0308601321685265mcinstcleanup;McAfee Application Installer Cleanup (0308601321685265);c:\docume~1\admini~1\locals~1\temp\030860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\030860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?] S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-10-20 821664] S2 Cymon;Cymon;c:\windows\system32\drivers\cymon.sys [2009-7-21 107104] S2 CypherGuard cguard Service 32bit Edition;CypherGuard cguard Service 32bit Edition;c:\program files\common files\cyphertec\cgrdsrv32.exe [2009-10-6 112560] S2 CypherGuard Info Service;CypherGuard Info Service;c:\program files\common files\cyphertec\cthwsrv32.exe [2009-10-6 112048] S2 gupdate;Google ƒAƒbƒvƒf[ƒg ƒT[ƒrƒX (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664] S2 ImeDictUpdateService;Microsoft IME Dictionary Update;c:\program files\common files\microsoft shared\ime14\shared\IMEDICTUPDATE.EXE [2010-1-21 59760] S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-19 366152] S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-3-15 428384] S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-9-14 508264] S3 gupdatem;Google Update ƒT[ƒrƒX (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-19 22216] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-19 41272] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-26 35088] S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000] S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 581480] S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209640] S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584] S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280] S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-9-14 219496] SUnknown McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x] SUnknown McNaiAnn;McNaiAnn; [x] SUnknown McProxy;McProxy; [x] SUnknown McShield;McShield; [x] SUnknown mfefire;mfefire; [x] SUnknown mfevtp;mfevtp; [x] UnknownUnknown cfwids;cfwids; [x] UnknownUnknown mfeavfk;mfeavfk; [x] UnknownUnknown mfebopk;mfebopk; [x] UnknownUnknown mfefirek;mfefirek; [x] UnknownUnknown mfendisk;mfendisk; [x] UnknownUnknown mfendiskmp;mfendiskmp; [x] UnknownUnknown mferkdet;mferkdet; [x] . =============== File Associations =============== . .txt=hidemaru.txt . =============== Created Last 30 ================ . 2011-11-19 09:00:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-11-19 08:03:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Secunia PSI 2011-11-19 08:02:51 -------- d-----w- c:\program files\Secunia 2011-11-19 07:01:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-19 06:47:05 -------- d-----w- c:\program files\common files\Mcafee 2011-11-19 06:47:02 -------- d-----w- c:\windows\LastGood.Tmp 2011-11-19 06:42:39 150856 ----a-w- c:\windows\system32\mfevtps.exe.4529.deleteme 2011-11-19 05:57:19 -------- d-----w- c:\documents and settings\all users\ƒvƒƒOƒ‰ƒ€ 2011-11-19 01:52:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes 2011-11-19 01:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-11-19 01:51:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-11-18 21:18:25 339192 ----a-w- c:\documents and settings\all users\application data\Pt9TfDN70D3wiZ.exe 2011-11-08 14:43:01 -------- d-----w- c:\program files\Hidemaru . ==================== Find3M ==================== . 2011-10-15 02:37:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-10 14:22:45 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-09-28 07:06:48 593920 ----a-w- c:\windows\system32\crypt32.dll 2011-09-26 02:41:42 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 02:41:42 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-26 02:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-06 14:09:59 1858560 ----a-w- c:\windows\system32\win32k.sys 2011-08-22 23:41:29 916480 ----a-w- c:\windows\system32\wininet.dll 2011-08-22 23:41:28 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-08-22 23:41:28 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-08-22 11:56:54 385024 ----a-w- c:\windows\system32\html.iec 2010-07-09 16:29:05 454656 ----a-w- c:\program files\putty.exe . ============= FINISH: 18:17:54.50 =============== DDS.txt Attach.txt
  2. i was infected by malware and when i logged in "system fix" window apeared. so i searched related information and found your post. http://www.bleepingcomputer.com/virus-removal/remove-system-fix i followed these instructions, found and deleted these infections. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWxuQkarbaeSd.exe (Trojan.FakeAlert) -> Value: YWxuQkarbaeSd.exe -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\application data\ywxuqkarbaesd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. and after that, when i loged in in normal mode, again system fix appeared on my window. so i stoped my machine immediately. and i loged in again in safe mode with network and tried to enable protection module on your anti-malware, but it only prompted "[startSearvice] Failed to perform desired action. Error Code: 1084". so again i googled and found your post. http://forums.malwarebytes.org/index.php?showtopic=88179 so i downloaded DDS and got log files. please help me solve these problem. DDS.txt Attach.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.