Jump to content

I'm Infected - UA Guard Online


Recommended Posts

I've been infected with the UA guard online tool. I've spent the last few days tackling as much of this as I could by myself. No luck with AVG root kit, no luck with running a boot version of AVG. I've tried running Malwarebytes in safe mode, and I've done all the steps in the FAQ with renaming Malwarebytes, or trying to run it as a random executable but each time during the quick scan it gets shut down.

I've noticed a program that looks like 2 phone numbers running in windows safe mode I can't force to shut down.

Sorry, If I've missed any requested steps I appreciate any help you guys can offer.

Thanks,

JB

When I ran the GMER I recieved a blue screen with Page_Fault_In_NonPaged_Area

ipsec.sys - address f4e72000 base at f4e61000, datestamp 48025 cce

Here is what the DDS log posted:

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by USER at 16:21:13 on 2011-10-10

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.789 [GMT -5:00]

.

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\3282498356:3406584124.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [uIUCU] c:\docume~1\user\locals~1\temp\UIUCU.EXE -CLEAN_UP -S

mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [lxeemon.exe] "c:\program files\lexmark pro700 series\lxeemon.exe"

mRun: [EzPrint] "c:\program files\lexmark pro700 series\ezprint.exe"

mRun: [Lexmark Pro700 Series Fax Server] "c:\program files\lexmark pro700 series\fm3032.exe" /s

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HKKK7fRRL9TXqUe8234A] c:\windows\system32\a111ibbD3on4aH6.exe

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\user\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

Trusted Zone: aol.com\free

Trusted Zone: DC01-CH03

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276209081474

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{29914497-E8E6-4396-ABD9-83849CE4EA72} : DhcpNameServer = 192.168.150.1

TCP: Interfaces\{E47C414A-C981-4152-8784-D360CC1C842B} : DhcpNameServer = 192.168.1.254

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\r49kaxtu.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll

FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Add to Amazon Wish List Button: amznUWL2@amazon.com - %profile%\extensions\amznUWL2@amazon.com

FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2011-7-4 547744]

R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-22 218688]

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2011-5-15 33792]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-10 164048]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]

S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-10 19024]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-10 40384]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-10 136176]

S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]

S2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]

S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [2011-6-15 193192]

S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]

S2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [2009-3-20 556960]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-10 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-10 40384]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-10 136176]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 598400]

S3 st3bus28;st3bus28;c:\windows\system32\drivers\st3bus28.sys --> c:\windows\system32\drivers\st3bus28.sys [?]

S3 st3mp28;st3mp28;c:\windows\system32\drivers\st3mp28.sys --> c:\windows\system32\drivers\st3mp28.sys [?]

S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2011-5-17 27904]

.

=============== Created Last 30 ================

.

2011-10-10 19:18:29 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-10 18:39:53 -------- d-----w- C:\TDSSKiller_Quarantine

2011-10-07 20:28:35 -------- d-----w- c:\documents and settings\user\application data\kP0ucS1ib3n4Q6W

2011-10-07 20:28:35 -------- d-----w- c:\documents and settings\user\application data\F7fRL9hTXjClBzN

2011-10-06 04:51:18 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-06 04:33:12 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes

2011-10-06 04:33:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-06 04:32:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-06 04:13:47 -------- d-----w- c:\documents and settings\user\application data\tpnG5aQH6W8R9Tw

2011-10-06 04:13:47 -------- d-----w- c:\documents and settings\user\application data\QUCelIBtzNc1v2n

2011-10-06 02:29:41 -------- d-----w- c:\documents and settings\user\application data\VcS1ibD3oGaHsKf

2011-10-06 02:29:41 -------- d-----w- c:\documents and settings\user\application data\lYXwkUVelBx0

2011-10-06 01:55:32 -------- d-----w- c:\documents and settings\user\application data\jpmG5sQJ7E8RqYw

2011-10-06 01:55:31 -------- d-----w- c:\documents and settings\user\application data\ZCekIBrzOyAuSoF

2011-10-06 01:39:43 -------- d-----w- c:\documents and settings\user\application data\oelIBtzPNc1

2011-10-06 01:39:42 -------- d-----w- c:\documents and settings\user\application data\SG5aQH6dW8R9T

2011-10-05 23:25:06 -------- d-----w- c:\documents and settings\user\application data\ORZ9hYXwjVlBz0c

2011-10-05 23:25:05 -------- d-----w- c:\documents and settings\user\application data\yzONtxA0uSiFpG

2011-10-05 23:23:50 -------- d-----w- c:\documents and settings\user\application data\AVG2012

2011-10-05 23:22:31 -------- d-----w- c:\windows\system32\drivers\AVG

2011-10-05 23:22:31 -------- d-----w- c:\documents and settings\all users\application data\AVG2012

2011-10-05 23:21:54 -------- d-----w- c:\program files\AVG

2011-10-05 23:02:43 -------- d--h--w- c:\documents and settings\all users\application data\Common Files

2011-10-05 23:02:23 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2011-10-05 22:54:33 -------- d-----w- c:\documents and settings\user\application data\tRL9hTXwjC

2011-10-05 22:54:33 -------- d-----w- c:\documents and settings\user\application data\blIBtzPNyAiDoFa

2011-10-05 22:33:04 -------- d-----w- c:\documents and settings\user\application data\NlONtxP0uSiDpGa

2011-10-05 22:33:04 -------- d-----w- c:\documents and settings\user\application data\jgRZqhYCwU

2011-10-05 20:28:40 784 ----a-w- c:\windows\trz5.tmp

2011-10-05 20:27:05 -------- d-----w- c:\documents and settings\user\application data\rqhYCwkIVlNx0c2

2011-10-05 20:27:05 -------- d-----w- c:\documents and settings\user\application data\hJ7dEL8gT

2011-10-05 18:55:33 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-10-05 18:55:33 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-10-05 18:47:59 -------- d-----w- c:\documents and settings\user\application data\p6dEK8gRZhXkVlB

2011-10-05 18:47:58 -------- d-----w- c:\documents and settings\user\application data\ubF3pmG5s

2011-10-05 18:42:20 -------- d-----w- c:\documents and settings\user\application data\hF4amH6sW7E9TqY

2011-10-05 18:42:20 -------- d-----w- c:\documents and settings\user\application data\DekIVrzONx0v2b

2011-10-05 17:44:38 -------- d-----w- c:\documents and settings\user\application data\W7dEK8gRZ

2011-10-05 17:44:38 -------- d-----w- c:\documents and settings\user\application data\VCekIBrzOyAuSoF

2011-10-05 16:31:03 -------- d-----w- c:\documents and settings\user\application data\rYCCeekIVrzO

2011-10-05 16:31:03 -------- d-----w- c:\documents and settings\user\application data\d9ggTZZqj

2011-10-05 16:30:48 -------- d-----w- c:\documents and settings\user\application data\sUUUVellOBxP0c

2011-09-22 17:55:42 -------- d-----w- c:\program files\iPod

2011-09-22 17:55:38 -------- d-----w- c:\program files\iTunes

2011-09-21 22:20:13 -------- d-----w- c:\windows\system32\appmgmt

2011-09-21 19:38:31 -------- d-----w- c:\program files\Bonjour

2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-18 12:50:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-23 02:33:50 431672 ----a-w- c:\windows\system32\drivers\sptd.sys

2011-07-23 02:32:28 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 16:22:36.92 ===============

attach.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (AVG and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.