Jump to content

Removed security guard 2012 with combofix, still experiencing issues


Recommended Posts

Hi there-

I removed "Security Guard 2012" by running ComboFix. It worked! I was able to run MBAM and remove the rest of the infection. But I still have some google redirects going on and an annoying popup from MBAM that says "successfully blocked access to a potentially malicious website" and it lists various IP address each time...I used TCPView but couldn't really figure it out

-------------MBAM IP PROTECTION LOG BELOW-------------------------------------------------

They are..incoming and outgoing... Here is the log for the IP Protection from MBAM

00:02:10 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:02:11 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:06:16 David IP-BLOCK 58.241.135.216 (Type: incoming)

00:06:17 David IP-BLOCK 58.241.135.216 (Type: incoming)

00:08:43 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:10:34 David IP-BLOCK 109.86.183.160 (Type: outgoing)

00:16:42 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:23:37 David IP-BLOCK 218.8.10.118 (Type: outgoing)

00:23:46 David IP-BLOCK 222.64.153.140 (Type: outgoing)

00:24:47 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:26:52 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:26:53 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:29:53 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:29:54 David IP-BLOCK 222.76.82.200 (Type: incoming)

00:44:59 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:00:49 David IP-BLOCK 77.78.240.204 (Type: incoming)

01:20:12 David IP-BLOCK 222.76.82.200 (Type: incoming)

01:20:12 David IP-BLOCK 222.76.82.200 (Type: incoming)

01:20:14 David IP-BLOCK 222.76.82.200 (Type: incoming)

01:23:33 David IP-BLOCK 58.240.142.246 (Type: outgoing)

01:30:00 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:30:02 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:30:11 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:30:11 David IP-BLOCK 77.78.240.204 (Type: incoming)

01:30:13 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:30:20 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:30:27 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:34:58 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:36:57 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:37:57 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:37:58 David IP-BLOCK 83.222.124.249 (Type: outgoing)

01:55:36 David IP-BLOCK 222.71.162.210 (Type: incoming)

01:57:53 David IP-BLOCK 213.55.114.168 (Type: incoming)

02:01:04 David IP-BLOCK 93.190.105.140 (Type: incoming)

02:08:05 David IP-BLOCK 78.26.187.89 (Type: outgoing)

02:08:28 David IP-BLOCK 219.153.216.57 (Type: outgoing)

02:19:40 David IP-BLOCK 222.64.126.182 (Type: incoming)

02:20:38 David IP-BLOCK 121.125.250.248 (Type: incoming)

03:35:24 David IP-BLOCK 83.222.124.249 (Type: outgoing)

03:40:43 David IP-BLOCK 83.222.124.249 (Type: outgoing)

04:41:21 David IP-BLOCK 212.117.164.24 (Type: outgoing)

04:48:27 David IP-BLOCK 121.10.120.182 (Type: incoming)

04:53:37 David IP-BLOCK 222.71.254.102 (Type: incoming)

04:56:31 David IP-BLOCK 80.82.79.78 (Type: outgoing)

05:12:05 David IP-BLOCK 91.188.53.113 (Type: outgoing)

05:25:56 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:27:21 David IP-BLOCK 222.65.216.10 (Type: outgoing)

05:29:58 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:30:01 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:30:04 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:30:07 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:30:12 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:30:18 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:33:00 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:33:59 David IP-BLOCK 83.222.124.249 (Type: outgoing)

05:36:57 David IP-BLOCK 222.71.254.102 (Type: incoming)

05:41:58 David IP-BLOCK 222.71.254.102 (Type: incoming)

05:43:32 David IP-BLOCK 77.78.212.180 (Type: outgoing)

05:56:08 David IP-BLOCK 222.71.254.102 (Type: incoming)

05:57:10 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:04:18 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:04:19 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:07:15 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:11:05 David IP-BLOCK 87.248.175.121 (Type: outgoing)

06:11:25 David IP-BLOCK 58.241.135.226 (Type: outgoing)

06:25:26 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:25:26 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:27:45 David IP-BLOCK 222.65.39.92 (Type: outgoing)

06:28:05 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:42:32 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:42:45 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:51:39 David IP-BLOCK 79.135.131.216 (Type: incoming)

06:51:41 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:51:42 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:52:04 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:52:33 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:52:34 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:55:22 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:55:22 David IP-BLOCK 222.71.254.102 (Type: incoming)

06:58:10 David IP-BLOCK 62.45.164.109 (Type: outgoing)

07:27:09 David IP-BLOCK 82.114.87.245 (Type: outgoing)

07:27:26 David IP-BLOCK 58.240.74.236 (Type: outgoing)

08:01:10 David IP-BLOCK 83.128.48.54 (Type: incoming)

08:28:41 David IP-BLOCK 62.45.205.19 (Type: outgoing)

08:43:05 David IP-BLOCK 62.45.109.106 (Type: outgoing)

08:44:01 David IP-BLOCK 89.28.4.230 (Type: outgoing)

08:47:46 David IP-BLOCK 117.205.48.159 (Type: incoming)

08:47:55 David IP-BLOCK 117.205.48.159 (Type: incoming)

08:50:15 David IP-BLOCK 121.10.120.182 (Type: incoming)

08:59:13 David IP-BLOCK 212.117.183.71 (Type: outgoing)

08:59:36 David IP-BLOCK 58.241.135.226 (Type: outgoing)

09:00:11 David IP-BLOCK 212.113.46.215 (Type: outgoing)

09:02:19 David IP-BLOCK 117.205.48.159 (Type: incoming)

09:12:00 David IP-BLOCK 81.198.148.210 (Type: incoming)

09:14:31 David IP-BLOCK 117.205.48.159 (Type: outgoing)

09:30:00 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:04 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:07 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:11 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:17 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:20 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:30:28 David IP-BLOCK 117.205.48.159 (Type: outgoing)

09:30:58 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:31:57 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:32:16 David IP-BLOCK 117.205.48.159 (Type: incoming)

09:36:00 David IP-BLOCK 83.222.124.249 (Type: outgoing)

09:44:44 David IP-BLOCK 195.39.196.250 (Type: incoming)

09:46:11 David IP-BLOCK 58.241.135.226 (Type: outgoing)

09:59:51 David IP-BLOCK 89.28.16.214 (Type: outgoing)

10:00:20 David IP-BLOCK 117.205.48.159 (Type: outgoing)

10:00:54 David IP-BLOCK 62.45.205.19 (Type: incoming)

10:03:16 David IP-BLOCK 117.205.48.159 (Type: incoming)

10:03:24 David IP-BLOCK 117.205.48.159 (Type: incoming)

10:05:24 David IP-BLOCK 206.53.53.183 (Type: incoming)

10:07:50 David IP-BLOCK 222.71.23.23 (Type: incoming)

10:08:01 David IP-BLOCK 222.71.23.23 (Type: incoming)

10:14:44 David IP-BLOCK 117.205.48.159 (Type: outgoing)

10:15:23 David IP-BLOCK 203.93.208.44 (Type: incoming)

10:28:24 David IP-BLOCK 117.205.48.159 (Type: outgoing)

10:28:30 David IP-BLOCK 117.205.48.159 (Type: outgoing)

10:36:29 David MESSAGE IP Protection stopped

10:36:40 David MESSAGE Database updated successfully

10:36:44 David MESSAGE IP Protection started successfully

10:38:21 David IP-BLOCK 222.76.93.236 (Type: incoming)

10:42:40 David IP-BLOCK 117.205.48.159 (Type: outgoing)

10:42:57 David IP-BLOCK 62.45.205.19 (Type: outgoing)

10:43:41 David IP-BLOCK 84.16.226.228 (Type: incoming)

10:46:05 David IP-BLOCK 98.142.247.174 (Type: incoming)

10:55:47 David IP-BLOCK 222.71.23.23 (Type: incoming)

10:56:14 David IP-BLOCK 222.71.23.23 (Type: incoming)

10:57:50 David IP-BLOCK 62.45.38.2 (Type: outgoing)

---------------------HIJACK THIS LOG BELOW-------------------------------------------------

My HiJackThis log is here:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:50:45 AM, on 10/7/2011

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Fawkes Engineering\AccuRIP\RipCore.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Moon Software\Shell Tools\FontLoaderSysTray.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\TechSmith\Jing\Jing.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\Orbitdownloader\orbitdm.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Orbitdownloader\orbitnet.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\David\My Documents\Downloads\Tcpview.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [FontLoader] C:\Program Files\Moon Software\Shell Tools\FontLoaderSysTray.exe

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{1AF8887D-C995-4F6F-BD2A-032D1E29CB6B}: NameServer = 4.2.2.2,4.2.2.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{1AF8887D-C995-4F6F-BD2A-032D1E29CB6B}: NameServer = 4.2.2.2,4.2.2.1

O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: ACT! Scheduler - Sage Software, Inc. - C:\Program Files\ACT\Act for Windows 2009\Act.Scheduler.exe

O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG8\Toolbar\ToolbarBroker.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: Hitman Pro 3.5 Crusader (HitmanPro35Crusader) - SurfRight B.V. - C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: RipCore - Unknown owner - C:\Program Files\Fawkes Engineering\AccuRIP\RipCore.exe

--

End of file - 13914 bytes

-------------------END OF LOG POSTS----------------------------

Additional Info: I also have AVG antivirus (FREE) and I notice that there is a exclamation point on the icon. I opened it and it says that my resident shield is inactive, but under options it shows as ACTIVE...so that may be something? I don't mind removing it if MBAM works better! I will but the FULL version of MBAM..

Just need to get rid of all these nasty bugs left over.

Thank you for your help. I really appreciate your time and dedication to helping all of us users.

-David

Link to post
Share on other sites

I have no idea how i managed to post my MBAM log into another users thread but I did...so here is my MBAM log in my OWN thread...lol...sorry about that.

------------MBAM log----------------

Posted Today, 10:07 AM

Forgot to add my MBAM Full Scan log-----------

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7887

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

10/6/2011 5:07:11 PM

mbam-log-2011-10-06 (17-07-11).txt

Scan type: Full scan (C:\|)

Objects scanned: 407700

Time elapsed: 2 hour(s), 1 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\David\start menu\Programs\security guard 2012 (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\David\local settings\application data\crossloop\VNCHooks.dll (Spyware.Passwords) -> Not selected for removal.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP819\A0120683.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\documents and settings\David\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

c:\documents and settings\David\application data\zonntxxa0uc2if3security guard 2012.ico (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.

c:\documents and settings\David\Desktop\security guard 2012.lnk (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.

c:\documents and settings\David\start menu\Programs\security guard 2012\security guard 2012.lnk (Rogue.SecurityGuard2012) -> Quarantined and deleted successfully.

c:\documents and settings\administrator.lordstabernacle.000\my documents\downloads\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Not selected for removal.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

  • Staff

Hi,

Like I said:

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

If you don't have the means to format, we can of course help remove the trojan. However, the damage may already have been done.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.