Jump to content

Recommended Posts

Hi I'm desperate for help. I ended up getting the windows security center malware. I've tried ad aware but it didn't detect it. After researching and reading the boards I tried to download mbam but the virus is preventing the install from opening. I don't know what to do. I'm running xp if that matters.

So I downloaded and ran dds and this is what the results showed:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by SUE at 23:16:16.20 on Sun 05/15/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.610 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Cbgibi\Ycifh.exe

C:\Documents and Settings\SUE\Local Settings\Application Data\lkq.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\SUE\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/?ilc=1

uSearch Page =

uDefault_Page_URL = hxxp://www.dellnet.com

uSearch Bar =

uDefault_Search_URL =

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = About:Blank

mSearchAssistant =

mCustomizeSearch =

mURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [uorneslp] c:\program files\cbgibi\Ycifh.exe

mRun: [toz] c:\windows\toz.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [NAV Agent] c:\progra~1\norton~1\navapw32.exe

mRun: [mzob] c:\windows\mzob.exe

mRun: [mswspl] c:\program files\hasbro interactive\atari arcade hits 1\Atari icon.exe

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [mfkpojwv] c:\windows\mfkpojwv.exe

mRun: [mdkpybsd] c:\windows\mdkpybsd.exe

mRun: [kfmdgf] c:\windows\kfmdgf.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [g0vbt9zy] c:\program files\g0vbt9zy\g0vbt9zy.exe

mRun: [fisuinsg] c:\windows\system32\ylhtul.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [Atari Launcher] c:\program files\hasbro interactive\atari arcade hits 1\Atari icon.exe

mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mPolicies-explorer: <NO NAME> =

IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu

IE: Web Savings - file://c:\program files\websavingsfromebates\system\temp\ebateswebsavings_script0.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/2703ff2e11cc28eadc19/netzip/RdxIE601.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120077386453

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277453568015

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

LSA: Notification Packages = scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

.

============= SERVICES / DRIVERS ===============

.

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-6-25 20480]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 Installer;Installer Service;c:\windows\system32\winst.exe --> c:\windows\system32\winst.exe [?]

S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

S2 WLSVC;WLSVC;c:\program files\trendnet\tew-424ub\WLSVC.exe [2010-6-25 167936]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]

S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2004-1-26 184416]

S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-2-27 116344]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20040121.006\NAVENG.Sys [2004-1-26 67568]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20040121.006\NavEx15.Sys [2004-1-26 598224]

S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2010-6-25 264576]

.

=============== Created Last 30 ================

.

2011-05-15 06:57:07 -------- d-----w- c:\windows\pss

2011-05-14 10:16:26 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-05-14 07:28:31 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-05-14 07:07:33 -------- d-----w- c:\windows\system32\LogFiles

2011-05-14 07:05:19 -------- d-----w- c:\program files\Lavasoft

2011-05-14 06:26:01 234116 --sha-w- c:\docume~1\sue\locals~1\applic~1\lkq.exe

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 23:17:44.62 ===============

Link to post
Share on other sites

:welcome:

Print out these instructions as we may need to close every window that is open later in the fix.

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 5 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. WiNlOgOn.exe
  5. uSeRiNiT.exe

Do not reboot your computer after running rkill as the malware programs will start again.

Now try the MBAM install and scan

Please don't attach the scans / logs for these tools, use "copy/paste".

Link to post
Share on other sites

Alright found and removed 15 infections and seems to be working great. appreciate the help couldnt haved done it on my own. heres the log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6594

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/16/2011 9:27:43 PM

mbam-log-2011-05-16 (21-27-32).txt

Scan type: Full scan (C:\|)

Objects scanned: 292436

Time elapsed: 43 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{E856B973-45FD-4559-8F82-EAB539144667} (Adware.Gdown) -> No action taken.

HKEY_CLASSES_ROOT\TypeLib\{DF058C45-CD18-453e-8745-5A77F60722AB} (Adware.Gdown) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{B5A33C35-7298-4D15-8753-A2E851E2EAB3} (Adware.Gdown) -> No action taken.

HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl.1 (Adware.Gdown) -> No action taken.

HKEY_CLASSES_ROOT\GTDOWNDE.GTAutoFixDLCtrl (Adware.Gdown) -> No action taken.

HKEY_CLASSES_ROOT\MyWayToolBar.SettingsPlugin (Adware.MyWaySearch) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\SUE\Local Settings\Application Data\lkq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\SUE\Local Settings\Application Data\lkq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\SUE\Local Settings\Application Data\lkq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\SUE\application data\Sun\Java\deployment\cache\6.0\22\39e1d656-4a94939f (Trojan.FakeAlert.Gen) -> No action taken.

c:\documents and settings\SUE\local settings\application data\lkq.exe (Trojan.FakeAlert.Gen) -> No action taken.

c:\WINDOWS\SYSTEM32\gtdownde_87.ocx (Adware.Gdown) -> No action taken.

Link to post
Share on other sites

Good job thumbup.gif

You can delete rKill

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.