Jump to content

Malware wont go away


Recommended Posts

Yesterday, while browsing tpb, I became infected by a rogue virus that calls itself "SECURITY GUARD."

At first< I wasn't able to launch any exe files, but by using rkill and some other small things, exe's are now executable.

I ran MB AM, but it wouldn't open, so I renamed it and worked like a charm.

I supposedly had 802 infected files within yesterday and today.

I quarantined them and only 4 registry keys" (im a computer noob) wouldn't quarantine.

I rebooted my XP system with confidence but when the home screen popped up, this virus was still here.

I performed another scan and 707 infected files were found.

I turned off the interet connection on my laptop just in case.

not sure what im doing wrong here..

thanks so much in advance!

mbam_log_2010_03_19__21_28_25_.txt

mbam_log_2010_03_19__21_53_11_.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post (don't attach) its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

Link to post
Share on other sites

got it to open.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Darian at 11:01:54.10 on Sat 03/20/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1536 [GMT -5:00]

AV: Security Guard *On-access scanning enabled* (Updated) {6FA6956A-7B91-4B40-9B3C-857B5597D502}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Security Guard *On-access scanning enabled* (Updated) {A0A816F0-127D-4BAB-8D96-EE1F364695C6}

FW: Security Guard *enabled* {77AD0306-8A22-4F8E-A71F-97AA13DF0DF7}

FW: Security Guard *enabled* {EF5C07A6-03FE-4CFC-B620-D9189C38B857}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

svchost.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v133\WDM\STacSV.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Darian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

uWinlogon: Shell=explorer.exe, "c:\documents and settings\all users\application data\e39425d\SGe394.exe" /s /d

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [security Guard] "c:\documents and settings\all users\application data\e39425d\SGe394.exe" /s /d

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264034218518

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

TCP: {09DFA091-49D0-443A-A271-73577C26758B} = 217.23.14.75,4.2.2.1,192.168.0.1

TCP: {E2005D5F-8767-4BE1-B354-759C949B1F13} = 217.23.14.75,4.2.2.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: doheyesi.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

LSA: Notification Packages = scecli doheyesi.dll

IFEO: image file execution options - svchost.exe

IFEO: a.exe - svchost.exe

IFEO: aAvgApi.exe - svchost.exe

IFEO: AAWTray.exe - svchost.exe

IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darian\applic~1\mozilla\firefox\profiles\x3tdcmhw.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage - hxxp://speedhunters.com/

FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=61293&p=

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-20 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-20 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-20 242696]

R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-1-20 105984]

S0 kvuupc;kvuupc; [x]

S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]

S3 isadeep;isadeep;c:\windows\system32\isadeep.sys [2008-4-13 2304]

=============== Created Last 30 ================

2010-03-19 21:45:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-19 21:45:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-19 21:45:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-19 20:34:55 0 d-sh--w- c:\docume~1\darian\applic~1\Security Guard

2010-03-19 20:34:54 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SGHMPGD

2010-03-19 20:34:10 0 d-sh--w- c:\docume~1\alluse~1\applic~1\e39425d

2010-03-19 01:08:49 5956 --sh--w- c:\windows\system32\yudukoke.exe

2010-03-17 13:15:26 257536 ----a-w- c:\windows\system32\sugedaji.exe

2010-03-15 02:42:26 5740 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-12 21:37:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-28 19:03:17 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-02-28 19:03:17 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-24 02:58:17 991747 ----a-w- c:\temp\IMATION FLASH LOGINVID_0718&PID_013307180133AC14032.exe

2010-02-24 02:58:17 0 d-----w- C:\temp

2010-02-22 01:59:05 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll

2010-02-22 01:59:05 17728 ----a-w- c:\windows\system32\nitrolocalui.dll

2010-02-22 01:58:47 0 d-----w- c:\program files\common files\Nitro PDF

2010-02-22 01:58:46 0 d-----w- c:\program files\Nitro PDF

2010-02-22 01:57:44 0 d-----w- c:\docume~1\darian\applic~1\Downloaded Installations

==================== Find3M ====================

2010-03-12 21:37:13 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-12 21:36:35 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-22 01:46:47 87608 ----a-w- c:\docume~1\darian\applic~1\inst.exe

2010-01-22 01:46:46 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2010-01-22 01:46:46 47360 ----a-w- c:\docume~1\darian\applic~1\pcouffin.sys

2010-01-21 01:57:38 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf

2010-01-21 01:57:36 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-01-20 22:58:56 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

1601-01-01 00:03:28 173568 --sha-w- c:\windows\system32\dapotado.exe

1601-01-01 00:03:28 232448 --sha-w- c:\windows\system32\hufufoga.exe

1601-01-01 00:03:28 82944 --sha-w- c:\windows\system32\sofofuhi.exe

============= FINISH: 11:02:02.39 ===============

New_WinRAR_ZIP_archive.zip

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.