Jump to content

Recommended Posts

Several minutes ago, i posted this message in "General Malwarebytes' Anti-Malware Forum". so again i post here.

i was infected by malware and when i logged in "system fix" window apeared.

so i searched related information and found your post.

http://www.bleepingc...move-system-fix

i followed these instructions, found and deleted these infections.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWxuQkarbaeSd.exe (Trojan.FakeAlert) -> Value: YWxuQkarbaeSd.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users\application data\ywxuqkarbaesd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

and after that, when i loged in in normal mode, again system fix appeared on my window.

so i stoped my machine immediately.

and i loged in again in safe mode with network and tried to enable protection module on your anti-malware, but it only prompted "[startSearvice] Failed to perform desired action. Error Code: 1084".

so again i googled and found your post.

http://forums.malwar...showtopic=88179

so i downloaded DDS and got log files.

please help me solve these problem.

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Run by Administrator at 18:17:16 on 2011-11-19

Microsoft Windows XP Professional 5.1.2600.3.932.81.1041.18.1214.537 [GMT 9:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMECMNT.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\conime.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Hidemaru\HIDEMARU.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.co.jp/index.html

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_ActiveX.exe -update activex

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"

mRun: [Acronis Scheduler2 ƒT[ƒrƒX] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe

mRun: [iME14 JPN Setup] c:\progra~1\common~1\micros~1\ime14\shared\IMEKLMG.EXE /SetPreload /JPN /Log

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sourcenext.SSS.Message] c:\program files\sourcenext\ƒ\[ƒxƒlƒnƒxƒg ƒaƒbƒvƒf[ƒg3\Message.exe

mRun: [sourcenext.SSS.Statistics] c:\program files\sourcenext\ƒ\[ƒxƒlƒnƒxƒg ƒaƒbƒvƒf[ƒg3\Statistics.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [ctfmon.exe] ctfmon.exe

StartupFolder: c:\docume~1\admini~1\ƒxƒ^[~1\ƒvƒƒo~1\ƒxƒ^[~1\gŠÛ.lnk - c:\program files\hidemaru\Hidemaru.exe

IE: Google ƒTƒCƒhƒEƒBƒL... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Microsoft Excel ‚ɃGƒNƒXƒ|[ƒg(&X) - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: OneNote ‚É‘—‚é(&N) - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {0725D9DE-4CB8-4BC3-8219-3E74C0D544F7} - hxxp://sample3.dmm.co.jp/downloader5/DMMDownloader.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {C7936030-390C-429E-9E90-F3984F5AD3BF} - hxxp://mini4wd.jp/CaveOnline.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{52863EEE-F445-450C-AC04-44F031F5EB27} : DhcpNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\d3m2m2yz.default\

FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\documents and settings\all users\application data\keyring\plugin\npkrplugin-1.0.0.dll

FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

.

============= SERVICES / DRIVERS ===============

.

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2010-2-9 902432]

RUnknown mfehidk;mfehidk; [x]

RUnknown mfetdi2k;mfetdi2k; [x]

S2 0308601321685265mcinstcleanup;McAfee Application Installer Cleanup (0308601321685265);c:\docume~1\admini~1\locals~1\temp\030860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\030860~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-10-20 821664]

S2 Cymon;Cymon;c:\windows\system32\drivers\cymon.sys [2009-7-21 107104]

S2 CypherGuard cguard Service 32bit Edition;CypherGuard cguard Service 32bit Edition;c:\program files\common files\cyphertec\cgrdsrv32.exe [2009-10-6 112560]

S2 CypherGuard Info Service;CypherGuard Info Service;c:\program files\common files\cyphertec\cthwsrv32.exe [2009-10-6 112048]

S2 gupdate;Google ƒAƒbƒvƒf[ƒg ƒT[ƒrƒX (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S2 ImeDictUpdateService;Microsoft IME Dictionary Update;c:\program files\common files\microsoft shared\ime14\shared\IMEDICTUPDATE.EXE [2010-1-21 59760]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-19 366152]

S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-3-15 428384]

S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-9-14 508264]

S3 gupdatem;Google Update ƒT[ƒrƒX (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-19 22216]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-19 41272]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-26 35088]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 581480]

S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209640]

S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]

S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]

S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-9-14 219496]

SUnknown McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]

SUnknown McNaiAnn;McNaiAnn; [x]

SUnknown McProxy;McProxy; [x]

SUnknown McShield;McShield; [x]

SUnknown mfefire;mfefire; [x]

SUnknown mfevtp;mfevtp; [x]

UnknownUnknown cfwids;cfwids; [x]

UnknownUnknown mfeavfk;mfeavfk; [x]

UnknownUnknown mfebopk;mfebopk; [x]

UnknownUnknown mfefirek;mfefirek; [x]

UnknownUnknown mfendisk;mfendisk; [x]

UnknownUnknown mfendiskmp;mfendiskmp; [x]

UnknownUnknown mferkdet;mferkdet; [x]

.

=============== File Associations ===============

.

.txt=hidemaru.txt

.

=============== Created Last 30 ================

.

2011-11-19 09:00:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-19 08:03:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Secunia PSI

2011-11-19 08:02:51 -------- d-----w- c:\program files\Secunia

2011-11-19 07:01:55 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-19 06:47:05 -------- d-----w- c:\program files\common files\Mcafee

2011-11-19 06:47:02 -------- d-----w- c:\windows\LastGood.Tmp

2011-11-19 06:42:39 150856 ----a-w- c:\windows\system32\mfevtps.exe.4529.deleteme

2011-11-19 05:57:19 -------- d-----w- c:\documents and settings\all users\ƒvƒƒOƒ‰ƒ€

2011-11-19 01:52:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-11-19 01:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-19 01:51:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-18 21:18:25 339192 ----a-w- c:\documents and settings\all users\application data\Pt9TfDN70D3wiZ.exe

2011-11-08 14:43:01 -------- d-----w- c:\program files\Hidemaru

.

==================== Find3M ====================

.

2011-10-15 02:37:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:45 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:48 593920 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 02:41:42 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 02:41:42 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-26 02:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-06 14:09:59 1858560 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:41:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:41:28 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:41:28 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:54 385024 ----a-w- c:\windows\system32\html.iec

2010-07-09 16:29:05 454656 ----a-w- c:\program files\putty.exe

.

============= FINISH: 18:17:54.50 ===============

DDS.txt

Attach.txt

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

I don't see a anti-virus program running. Get a free one.

Only run one Anti-Virus at a time.

Use an AntiVirus Software - Choose only one - More than one will conflict. It is very important that your computer has anti-virus software running to protect against viruses. Update Antivirus prior to manual scans as necessary or as used. Please only choose one, having more than one can cause problems, such as crashes and your computer to slow down.

Run a full scan and let us know what it finds along with a new HijackThis log.

Also please describe how your computer behaves at the moment

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.