Jump to content

Desktop Security 2010 Malware


Recommended Posts

I have already posted this on bleepingcomputer.com, but am trying here in hopes that I get some response from your experts as well.

I have managed to pick up Desktop Security 2010. My first response to anything like this is to run ComboFix. It did not work, so I went to bleepingcomputer.com's suggested fix, and followed all of the steps precisely. Malwarebytes' Anti-Malware said that it found the virus, and I selected the option to remove it, which it said it did. Unfortunately, as soon as I rebooted my computer, it was still there.

So, PLEASE HELP. This is the first time I have ever encountered anything that ComboFix would not remove.

DDS.txt Log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Stefanie Soliday at 16:13:55.89 on Mon 08/16/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.824 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\lxeacoms.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\PDF Complete\pdfsty.exe

C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe

C:\Program Files\PDF Complete\pdfsaver.exe

C:\Program Files\Lexmark S300-S400 Series\ezprint.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Documents and Settings\Stefanie Cardwell\Application Data\Desktop Security\Desktop Security 2010.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Documents and Settings\Stefanie Cardwell\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Stefanie Cardwell\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Stefanie Cardwell\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar1.dll

BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No File

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java

Attach.txt

combofixlog.txt

mbam_log_2010_08_15__17_52_36_.txt

mbam_log_2010_08_15__20_00_36_.txt

mbam_log_2010_08_17__14_46_23_.txt

mbam_log_2010_08_18__07_48_44_.txt

Link to post
Share on other sites

  • Root Admin

STEP 01

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
"Desktop Security"=-
Folder::
c:\documents and settings\Stefanie Cardwell\Application Data\Desktop Security
File::
c:\documents and settings\Stefanie Cardwell\Application Data\Desktop Security\Desktop Security 2010.exe
c:\windows\system32\AC1C9E7D69.sys
c:\program files\ag_playfuldolphin.exe

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 21 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

STEP 03

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup234_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS including your Web Browser
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Uncheck cookies too if you wish to save them otherwise they will be removed as well
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 04

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log on your next reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.