Jump to content

Recommended Posts

Hey all...thanks in advance for your help!

So, basically, this is how my problems started. This morning, when I got on my computer, I had a program that had taken over my computer called "Security Protection". It was basically running fake virus scans, trying to scare me into buying their product. Additionally, it was blocking me from running any .exe files, and had taken over my search engine. At the advice of another website, I logged on in Safe Mode with Networking, ran tdsskiller, ran combofix, and ran Malwarebytes. Combofix alterted me to the presence of some virus called rootkit.zeroaccess, and unsuccesfully removed it. Malwarebytes crashed after a minutes or two, and now the icon has changed, and when I try to run it again, it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I log on in Normal Mode, "Security Protection" is still there, causing all the same mayhem as before.

So, I tried to follow the directions regarding posting, although obviously I don't have a Malwarebytes log. Here are the other logs though...

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.19088

Run by Denise at 13:56:15 on 2011-08-31

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1603 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AOL Radio Toolbar Loader: {2abdb2f7-4cbf-4939-ba12-fddc827b6a2d} - c:\program files\aol radio toolbar\aolradiotb.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll

BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\13.0.782.218\npchrome_frame.dll

TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

TB: AOL Radio Toolbar: {9167da98-6f9b-46f1-991d-826cae46cab6} - c:\program files\aol radio toolbar\aolradiotb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [security Protection] c:\users\denise\appdata\roaming\defender.exe

mRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [CognizanceTS] rundll32.exe c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &AOL Radio Toolbar Search - c:\programdata\aol radio toolbar\ietoolbar\resources\en-us\local\search.html

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1 68.238.64.12

TCP: Interfaces\{4621B96E-C8AB-4265-8EAE-756D44A54A3C} : DhcpNameServer = 209.18.47.61 209.18.47.62 0.0.0.0

TCP: Interfaces\{708D262C-9703-494D-B1D5-45127FB711AE} : DhcpNameServer = 192.168.1.1 68.238.64.12

Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\13.0.782.218\npchrome_frame.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\APSHook.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

============= SERVICES / DRIVERS ===============

.

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-31 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-31 269480]

S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-6-4 21504]

S2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-6-4 21504]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-31 66616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 EnGenius11nSU;EnGenius11nSU;c:\program files\engenius\11n usb wireless lan utility\rtlservice.exe --> c:\program files\engenius\11n usb wireless lan utility\RtlService.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-1 133104]

S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [2011-6-4 193192]

S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\toolbarupdaterservice.exe --> c:\program files\startnow toolbar\ToolbarUpdaterService.exe [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-1 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys [2011-5-21 541728]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-31 18:04:13 -------- d-----w- c:\users\denise\appdata\roaming\Avira

2011-08-31 18:03:11 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-31 18:03:10 -------- d-----w- c:\programdata\Avira

2011-08-31 18:03:10 -------- d-----w- c:\program files\Avira

2011-08-31 16:31:17 -------- d-s---w- C:\ComboFix

2011-08-31 16:16:27 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-31 15:39:33 43408 --sha-w- c:\windows\system32\c_47915.nl_

2011-08-31 15:20:47 4194304 ----a-w- c:\windows\system32\qnbwvoto.dll

2011-08-31 15:14:18 839680 ----a-w- c:\users\denise\appdata\roaming\defender.exe

2011-08-30 13:59:31 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7ce73511-85e1-4e37-bb6d-318aa5ba426a}\mpengine.dll

2011-08-10 23:26:33 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-08-10 03:18:17 -------- d-sh--w- C:\$RECYCLE.BIN

2011-08-09 18:29:34 10074 ----a-w- c:\programdata\SPLC6BB.tmp

2011-08-08 22:42:28 423452 ----a-w- c:\programdata\SPLEBF3.tmp

2011-08-05 06:20:17 -------- d-----w- c:\program files\Lavasoft

2011-08-02 02:00:07 -------- d-----w- c:\users\denise\.thumbnails

.

==================== Find3M ====================

.

2011-08-31 16:17:08 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-31 15:39:13 66560 ----a-w- c:\windows\system32\drivers\smb.sys

2011-08-16 15:42:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-26 16:33:54 0 ----a-w- c:\programdata\oxav.exe

2011-07-26 16:33:54 0 ----a-w- c:\programdata\opyj.exe

2011-07-26 16:33:54 0 ----a-w- c:\programdata\mawn.exe

2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

.

============= FINISH: 13:57:52.09 ===============

ark.zip

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Thanks for helping out...and sorry I didn't respond sooner. For some reason I didn't get an email notification of your reply, and I almost never saw it. So, an update on my situation is that the infected computer can no longer get online, and won't boot up in normal mode (it just goes to a blue screen while loading Windows and then crashes). This means that I can't run any of these diagnostics in normal mode, and I can't even run a diagnostic on my internet connection in order to see if I can get it back up and running. In the meantime, I'm just going to have to transfer any necessary programs from one computer to the other via flash drive.

So, with that being said, I managed to run Malwarebytes (hopefully with an up to date definitions file?), and I have posted the log. Also, I was unable to convince Combofix that Avira's scanner was disabled, so I uninstalled Avira and ran Combofix afterward, and posted the log.

mbam-log-2011-09-07 (11-17-15).txt

Combofix.zip

Link to post
Share on other sites

  • Staff

Hi,

When did you lose connection?

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet (get it from another computer). Before you download it, rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

When it finishes, post its log and see if Internet is still gone after a reboot.

Link to post
Share on other sites

I lost my connection a few days ago. Before I posted in the forum, I read and followed all of the instructions given in this thread: http://forums.malwarebytes.org/index.php?showtopic=9573. After following all steps, I turned my infected PC off, and didn't turn it on again for a couple of days. When I turned it on, I found that I could no longer connect to the internet (it says "local only" on my connection) and I could no longer boot into normal mode (it goes to a blue screen and crashes).

Anyhow, I followed your steps, and attached the log. My internet connection still doesn't seem to be working, however.

Combofix Log.txt

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

What does the BSoD say when you try to boot into Normal Mode?

Download BlueScreenView and save it to your Desktop.

  • Double click on BlueScreenView.exe file to run the program.
  • When it finishes scanning, click Edit --> Select All.
  • Click File --> Save Selected Items
  • Save the report as BSOD.txt to your Desktop.
  • Post the contents of BSOD.txtin your next reply.

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=94246
Collect::
c:\windows\system32\c_47915.nl_
c:\programdata\oxav.exe
c:\programdata\opyj.exe
c:\programdata\mawn.exe

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Link to post
Share on other sites

  • Staff

Excellent news!

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Everything seems to be running just fine now. I can boot the computer in normal mode, as well as connect to the Internet. For some reason, the ESET scanner isn't putting any information into the log file. All the file says is this:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

That being said, it found 9 infected files and successfully quarantined them. The other requested log files are attached.

TDSSKiller.2.6.1.0_26.09.2011_16.21.12_log.txt

checkup.txt

Link to post
Share on other sites

  • Staff

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java 6 Update 23

Adobe Reader 9.4

The following are also unnecessary unless you use them:

AIM Toolbar 5.0

AOL Radio Toolbar

Viewpoint Media Player

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.