Jump to content

Recommended Posts

About a week ago, I was infected with the FakeAlert malware. I managed to partially restore my computer to functionality, but there is still something there that I cannot get rid of. It manifests itself in the form of "iexplore.exe *32" running in the background, appearing in my list of processes soon after startup. It hogs RAM until it is at the top of the memory list. It also tries to connect with this website IP address: 64.120.141.165. I will get several warnings from MBAM of this connection attempt. I can kill the process, but it reappears about a minute or two later.

This is a corporate workstation running Trend Micro Core Protection Module for Windows. In addition, I have installed MBAM and IOBit Malware Fighter (both free editions). None of the 3 programs can detect any malware or viruses from quick, smart or full system scans.

I also get the random redirect on internet search links; i must copy and paste the URL in order to reach the desired site.

Every time I restart the system, I cannot enable the MBAM protection module. I get the following error message: "[startService] Failed to perform desired action. Error Code: 1084" (or 1068). I must reinstall and update MBAM before I can successfully enable protection mode.

The following is a post of the latest DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL

Internet Explorer: 9.0.8112.16421

Run by MorilakM at 10:33:15 on 2011-11-19

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12271.10977 [GMT -5:00]

.

AV: Trend Micro Core Protection Module *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Core Protection Module *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.cleveland.com/

uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.7\iobitToolbarIE.dll

mWinlogon: Userinit=userinit.exe

BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.7\iobitToolbarIE.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - C:\Program Files (x86)\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - C:\Program Files (x86)\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.7\iobitToolbarIE.dll

uRun: [Advanced SystemCare 4] "C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe"

uRun: [smartRAM] "C:\Program Files (x86)\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" /m

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe

mRun: [signIn] "C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun

mRun: [Client Access Service] "C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe"

mRun: [Client Access Help Update] "C:\Program Files (x86)\IBM\Client Access\cwbinhlp.exe"

mRun: [Client Access Check Version] "C:\Program Files (x86)\IBM\Client Access\cwbckver.exe" LOGIN

mRun: [Client Access Express Welcome] "C:\Program Files (x86)\IBM\Client Access\cwbwlwiz.exe"

mRun: [Client Access PC5250 Sound] "C:\Program Files (x86)\IBM\Client Access\Emulator\pcssnd.exe"

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

mRun: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

StartupFolder: C:\Users\MorilakM\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\Icon.E4680A49.3150.4622.A574.510DDBA8EE10.exe

StartupFolder: C:\Users\MorilakM\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PSA_VA~1.LNK - C:\PSA_Vault

StartupFolder: C:\Users\MorilakM\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\YOURVA~1.LNK - C:\PSA_Vault\PSA\AK\Eng\MorilakM\CAPPER PROJECTS

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: MaxGPOScriptWait = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://cadenas.partcommunity.com/partserver/viewer/cnsweb3d/cnsweb3d.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {D59124D5-442C-44C5-BD9A-E81BB0582D55} - hxxp://raiseinstall.rockwellautomation.com/pstoolbox-lite-1-2010/setup.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 10.17.3.13 10.1.1.7

TCP: Interfaces\{949DFC89-904C-4A69-9618-BE31F411774D} : DhcpNameServer = 10.17.3.13 10.1.1.7

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: IObit Toolbar: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\4.7\iobitToolbarIE.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Viewpoint Toolbar BHO: {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files (x86)\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Viewpoint Toolbar: {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files (x86)\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: IObit Toolbar: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files (x86)\IObit Toolbar\IE\4.7\iobitToolbarIE.dll

mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe

mRun-x64: [signIn] "C:\Program Files (x86)\Microsoft Online Services\Sign In\SignIn.exe" /autorun

mRun-x64: [Client Access Service] "C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe"

mRun-x64: [Client Access Help Update] "C:\Program Files (x86)\IBM\Client Access\cwbinhlp.exe"

mRun-x64: [Client Access Check Version] "C:\Program Files (x86)\IBM\Client Access\cwbckver.exe" LOGIN

mRun-x64: [Client Access Express Welcome] "C:\Program Files (x86)\IBM\Client Access\cwbwlwiz.exe"

mRun-x64: [Client Access PC5250 Sound] "C:\Program Files (x86)\IBM\Client Access\Emulator\pcssnd.exe"

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

mRun-x64: [searchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]

S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

S2 AdvancedSystemCareService;Advanced SystemCare Service;C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-4-28 328536]

S2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2011-9-27 745880]

S2 BrcmMgmtAgent;Broadcom Management Agent;C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2010-2-11 125952]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-26 136176]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-17 366152]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-9-10 6803560]

S2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2010-9-2 635416]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-4-26 378472]

S2 TMAdptrSvr;Trend Micro Adapter Service;C:\Program Files (x86)\Trend Micro\Core Protection Module\TMCPMAdapter.exe [2011-5-23 990384]

S2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmxpflt.sys [2010-10-20 342288]

S2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2010-10-20 42768]

S2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2011-4-11 24652]

S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-3-17 87336]

S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-9-30 1431888]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-26 136176]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

S3 SIUSBXP;SIUSBXP;C:\Windows\system32\drivers\SiUSBXp.sys --> C:\Windows\system32\drivers\SiUSBXp.sys [?]

S3 Smcinst;Symantec Auto-upgrade Agent;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2010-4-24 917768]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== File Associations ===============

.

.scr=AutoCADScriptFile

.

=============== Created Last 30 ================

.

2011-11-17 15:45:45 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-11-16 13:09:26 -------- d-----w- C:\Program Files (x86)\GPLGS

2011-11-16 13:09:05 85504 ----a-w- C:\Windows\System32\cpwmon64.dll

2011-11-16 13:09:04 -------- d-----w- C:\Program Files (x86)\Acro Software

2011-11-14 19:07:55 6637392 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8AE6B4A2-2BF2-465E-BF4E-133413F5C0FF}\mpengine.dll

2011-11-11 23:24:44 -------- d--h--w- C:\Users\MorilakM\AppData\Roaming\Malwarebytes

2011-11-11 19:24:24 -------- d-----w- C:\ProgramData\Malwarebytes

2011-11-02 12:09:05 -------- d--h--w- C:\ProgramData\Dassault Systemes

2011-10-28 19:31:19 -------- d--h--w- C:\ProgramData\GroupPolicy

2011-10-25 17:14:47 410976 ----a-w- C:\Windows\SysWow64\deploytk.dll

2011-10-25 11:52:09 -------- d-----w- C:\Program Files (x86)\Application Updater

2011-10-25 11:52:08 -------- d-----w- C:\Program Files (x86)\IObit Toolbar

2011-10-25 11:52:08 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot

.

==================== Find3M ====================

.

2011-11-18 16:35:11 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-14 21:38:26 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2011-09-14 21:38:25 175616 ----a-w- C:\Windows\System32\msclmd.dll

.

============= FINISH: 10:41:15.39 ===============

I have also attached a zipped copy of "Attach.txt".

Thanks for being here to help us wretched cyber souls.

Mike Morilak

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I see you have IOBit software installed.

Please read this:

http://forums.malwarebytes.org/index.php?showtopic=33217

I highly recommend uninstalling their software.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi, screen317. Thanks for responding to my help request.

I have read the IOBit theft topic and, as you suggested, have uninstalled all of their products from my system.

Also, since this particular system is a corporate workstation, I must first obtain permission from my employer's IT function to perform the tasks you have suggested. Corporate IT is also the only entity in the organization who can temporarily disable the Trend Micro security software that is currently running on the system. Once I receive clearance to proceed, I will reply with the requested report files.

Thanks again,

Mike Morilak

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.