Jump to content

Security Tool Rogue


Recommended Posts

Security Tool rogue infection; malwarebytes was loaded (helped me before - thanks!), but would not run; tried to redownload, would not install mbam.exe, false desktop, exes affected, can't google search. Message reads Lsas.Blaster.Keyloger has infected ... .exe.

Tried atfcleaner, then combofix in safe mode. Rebooted. This eliminated a message I was seeing previously that stated a certain file could not be found, then the desktop icons would disappear. Now that message does not appear and the icons are neatly arranged on the left on the desktop. False desktop still does appear; right-click Show Desktop to see icons. Security Tool still appears as soon as desktop loads.

Below is my combofix log. XP Home Edition (see below)

ComboFix 09-10-06.04 - Chris Laptop 10/08/2009 7:36.1.1 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.728 [GMT -4:00]

Running from: c:\documents and settings\Chris Laptop\Desktop\censoredyou.exe

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Rothko Gallery\autorun.inf

c:\program files\Common

c:\program files\Common\_helper.sig

c:\program files\Shared

c:\program files\Shared\lib.sig

c:\windows\Installer\aa882e.msp

c:\windows\Installer\ffe1dc.msp

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000010_.tmp.dll

c:\windows\system32\famizula.dll

c:\windows\system32\gifepujo.dll

c:\windows\system32\gitabiga.dll

c:\windows\system32\jogevoma.dll

c:\windows\system32\kirasahi.dll

c:\windows\system32\logipefu.dll

C:\winlogon.exe

.

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))

.

2009-10-08 01:19 . 2009-10-08 01:20 -------- d-----w- C:\ark

2009-10-08 00:55 . 2009-10-08 00:55 -------- d-----w- c:\program files\Windows Defender

2009-10-08 00:32 . 2009-10-08 00:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-10-08 00:18 . 2009-10-08 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-07 04:18 . 2009-10-07 04:18 4045528 ----a-w- C:\mbam-setup.exe

2009-10-06 19:08 . 2009-10-06 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\30474927

2009-09-13 01:36 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 01:56 . 2007-12-25 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-08 00:39 . 2009-08-12 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-10-08 00:12 . 2009-08-11 00:34 -------- d-----w- c:\program files\renamed

2009-10-04 17:09 . 2007-10-02 22:38 -------- d-----w- c:\program files\yEnc32

2009-09-10 18:54 . 2009-08-11 00:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-08-11 00:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 10:06 . 2009-09-04 10:03 -------- d-----w- c:\program files\PersonalAV

2009-08-12 15:01 . 2009-08-11 01:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-12 15:01 . 2009-08-11 01:31 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-12 15:01 . 2009-08-11 01:31 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-12 15:01 . 2009-08-11 01:31 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-12 15:01 . 2009-08-11 01:32 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-08-12 01:48 . 2009-08-11 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-11 01:49 . 2009-08-11 00:26 -------- d-----w- c:\documents and settings\Chris Laptop\Application Data\AVGTOOLBAR

2009-08-11 01:31 . 2009-08-11 01:31 -------- d-----w- c:\program files\AVG

2009-08-11 01:27 . 2006-12-20 18:54 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-11 01:22 . 2006-12-20 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-11 01:08 . 2009-08-09 23:47 -------- d-----w- c:\program files\dvwern

2009-08-11 00:34 . 2009-08-11 00:34 -------- d-----w- c:\documents and settings\Chris Laptop\Application Data\Malwarebytes

2009-08-11 00:34 . 2009-08-11 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-05 09:11 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 18:55 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-10 18:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 00:10 . 2009-07-08 00:10 52224 --sha-w- c:\windows\system32\jifopufo.dll

2009-07-08 00:10 . 2009-07-08 00:10 1050659 --sha-w- c:\windows\system32\pujiyiho.exe

2009-07-06 19:08 . 2009-07-06 19:08 1050147 --sha-w- c:\windows\system32\vuhugeya.exe

2009-07-08 00:11 . 2009-07-08 00:11 52224 --sha-w- c:\windows\system32\zizatewa.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{074b14ac-d8d2-441e-84db-729f163737f3}]

2009-07-08 00:11 52224 --sha-w- c:\windows\system32\zizatewa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 761947]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-20 98304]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-21 185896]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-29 2023704]

"30474927"="c:\documents and settings\All Users\Application Data\30474927\30474927.exe" [2009-10-06 1050147]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-09-22 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-20 24576]

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-4 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-12 15:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/10/2009 9:32 PM 12552]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/10/2009 9:31 PM 335240]

S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/10/2009 9:31 PM 108552]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/12/2009 11:01 AM 908056]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/12/2009 11:01 AM 297752]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

S3 RDID1079;UA-25EX;c:\windows\system32\drivers\Rdwm1079.sys [5/18/2009 9:28 PM 173953]

.

Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.dell.com

mSearch Bar = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-dunuvivin - c:\windows\system32\jogevoma.dll

HKLM-Run-vepadetiga - logipefu.dll

SharedTaskScheduler-{e91f78c3-c61b-4228-b694-c847ce67dedc} - c:\windows\system32\lejivaya.dll

SharedTaskScheduler-{02efaaa0-5470-494e-87c2-60f7ac1a9592} - c:\windows\system32\jogevoma.dll

SSODL-jisevahij-{e91f78c3-c61b-4228-b694-c847ce67dedc} - c:\windows\system32\lejivaya.dll

SSODL-zuvejuker-{02efaaa0-5470-494e-87c2-60f7ac1a9592} - c:\windows\system32\jogevoma.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-08 07:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(228)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

Completion time: 2009-10-08 7:54 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-08 11:53

Pre-Run: 34,985,459,712 bytes free

Post-Run: 36,095,594,496 bytes free

194 --- E O F --- 2009-09-15 03:38

***************

Thanks for any next step recommendations!

Link to post
Share on other sites

Hi and welcome to the forum! :lol:

Please read and follow ALL the instructions below. Thanks!

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?

2. If needed please post your logs in a NEW topic here:Malware Removal - HijackThis Logs

3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

* Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.

* Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.

* Using these other tools often makes the cleanup task more difficult and time consuming.

* If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.

* Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.

* There are often many others that require assistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

* NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.