virus/spyware removal " system security" virus

View previous topic View next topic Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 3:20 pm

addtionally:I burned a copy of the ice.exe folder from my other computer and downloaded to my infective laptop..I have a file opened called 11abfc listing the hkeys for system 32.. help it may close at any time..thanks

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 3:55 pm

also have opened the win32:110 services, think I see some problems but need your direction? thanks

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 4:26 pm

Ah.
A newer version, randomly named when opened, nice!

We can use this, it won't close on us. Smile

Click the "Registry" button on the bottom left. Now travel to the following key using the + button to go further in.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Once you have found the Run key, note down the values names in the right side panel.
I don't need to know what files they are pointing at, just the values names, I'll be able to tell what the malicious ones are.

Now do the same for this key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Note the two different hives (HKLM/HKCU).

Once you have noted down all the run values, post them back here so I can see them.
===

The malware run values for system security is most likely appearing as random numbers that point to:

C:\Documents and settings\USERNAME\Application Data\some more numbers.exe

Let me know if I'm right. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 4:55 pm

here we go:
local:
(default) no values
103
10753124
90763116
adobe reader speed launch
atipta
avp
cpqset
digstream
eabconfg.cpl
ehtray
hp software update
hp wireless assistant
isus pm startup
isusscheduler
itunes helper
kernelfault check
launch anti spy
lsb watcher
quicktime task
sunjava update scheduler
syntpenh

current user info:
(default) value not set
dfmon.exe
msmsqs
updatemgr

that's it.. let me know..thanks

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 5:01 pm

Hello.
Thanks, now go back into the HKLM\...\Run key again, and delete the following three values:

103
10753124
90763116

You can delete them by highlighting each one, then press the rex X on the toolbar, or right click each and select delete.

Okay any prompts that ask if you are sure.

Once them run values are gone, all the lockdown on tools will be unlocked and things will run normally again, so try running Hijack This. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 5:14 pm

deleted as instructed but will not allow me to run hijack install/

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 5:17 pm

Hello.
Use IceSword again, and delete the following two values in HKLM\...\Run.

KernelFault Check
Launch Anti-Spy

Then boot to safe mode again, try running it there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 5:22 pm

was able to run hijack, and saved logfile to notepad.. next?

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 5:23 pm

Hooray! Post it back here. Lets get to work removing the rest of the malware. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 5:36 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:48 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\windows\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\windows\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\Online Services\AOL90US\comps\rp\rp9codec.exe restart
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: QuickLink Mobile.lnk = C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Defender Pro Firewall.lnk = C:\Program Files\Defender Pro\Defender Pro Firewall\KAVPF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\DEFEND~3\DEFEND~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Defender Pro Internet Security (AVP) - Defender Pro - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10105 bytes

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 5:51 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: Shell=Explorer.exe logon.exe
    O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\Online Services\AOL90US\comps\rp\rp9codec.exe restart


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 6:16 pm

file loMalwarebytes' Anti-Malware 1.37
Database version: 2266
Windows 5.1.2600 Service Pack 3

6/12/2009 2:08:04 PM
mbam-log-2009-06-12 (14-08-04).txt

Scan type: Quick Scan
Objects scanned: 102293
Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\charles ray\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\charles ray\start menu\Programs\system security\System Security 2009 Support.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\charles ray\start menu\Programs\system security\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\charles ray\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Agent) -> Delete on reboot.
g:

thanks for all your help,,, I have contributed to your worthy cause... thanks again

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 6:33 pm

Hello.
Not done yet, one last scan.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 6:43 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by charles ray at 14:39:55.43 on Fri 06/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT -4:00]

AV: Defender Pro Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Defender Pro Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
svchost.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\charles ray\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [DIGStream] c:\program files\digstream\digstream.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\defender pro\defender pro internet security 6.0\avp.exe"
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\quickl~1.lnk - c:\program files\alltel\quicklink mobile\QuickLink Mobile.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\defend~1.lnk - c:\program files\defender pro\defender pro firewall\KAVPF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Anti-Banner - c:\program files\defender pro\defender pro internet security 6.0\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\defender pro\defender pro internet security 6.0\scieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\defend~3\defend~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 cf32a;cf32a;c:\windows\system32\drivers\cf32a.sys [2006-8-19 25783]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-2-7 39472]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-26 175376]
R2 AVP;Defender Pro Internet Security;c:\program files\defender pro\defender pro internet security 6.0\avz.exe [2007-8-14 206152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 AVC3310F;AVC-3310/AVC-3610 USB Loader;c:\windows\system32\drivers\avcuwfl2.sys [2005-6-29 17536]
S3 AvcUWil2;Adaptec AVC-3210/3310/3610 USB Device;c:\windows\system32\drivers\avcuwil2.sys [2005-6-29 1434080]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\drivers\memcard.sys [2006-2-21 8320]
S3 PTDLBus;PANTECH UM175AL Composite Device Driver;c:\windows\system32\drivers\PTDLBus.sys [2009-2-25 32256]
S3 PTDLMdm;PANTECH UM175AL Drivers;c:\windows\system32\drivers\PTDLMdm.sys [2009-2-25 41344]
S3 PTDLVsp;PANTECH UM175AL Diagnostic Port;c:\windows\system32\drivers\PTDLVsp.sys [2009-2-25 39936]
S3 PTDLWWAN;PANTECH UM175AL WWAN Driver;c:\windows\system32\drivers\PTDLWWAN.sys [2009-2-25 59776]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-06-12 13:59 --d----- c:\docume~1\charle~1\applic~1\Malwarebytes
2009-06-12 13:59 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-12 13:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 13:59 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-12 13:59 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-12 13:20 --d----- c:\program files\Trend Micro
2009-06-12 07:36 --d----- C:\MGlogs
2009-06-12 06:58 29,563 a------- C:\MGlogs.zip
2009-06-11 21:19 --d----- C:\MGtools
2009-06-11 18:48 3,120 a------- c:\windows\LJRGKDD9.ocx
2009-06-11 12:49 --d----- c:\docume~1\alluse~1\applic~1\90763116
2009-06-11 12:49 --d----- c:\docume~1\alluse~1\applic~1\10753124
2009-06-09 19:59 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-09 19:59 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 19:59 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:59 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-05-21 14:58 3,247 a------- c:\windows\system32\wbem\Outlook_01c9da461b1a94a4.mof
2009-05-18 02:04 --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[06AFB7]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035799]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035798]
2009-05-17 23:39 --d----- c:\documents and settings\charles ray\[035797]
2009-05-17 23:38 --d----- c:\documents and settings\charles ray\[035796]
2009-05-17 23:33 --d----- c:\documents and settings\charles ray\fat32.1
2009-05-17 23:31 --d----- c:\documents and settings\charles ray\[FAT32]
2009-05-16 23:12 --d----- c:\program files\MSECache

==================== Find3M ====================

2009-06-12 14:39 20,570,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-12 14:09 276,428 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-12 14:09 259,104 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-12 14:09 24,716 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-12 13:06 6,656 a------- c:\windows\system32\drivers\aec.sys
2009-05-20 13:32 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 13:32 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 01:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-21 07:46 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-11-13 12:10 170 a------- c:\docume~1\charle~1\applic~1\wklnhst.dat
2008-01-31 10:23 3,195,392 a--sh--- c:\program files\ehthumbs.db
2006-11-01 19:31 315,904 a------- c:\windows\inf\unregmp2(2).exe

============= FINISH: 14:40:15.70 ======

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 6:57 pm

Hello.
There is some malicious folders left behind which we need to delete, and some suspicious folders that I can't find anything on.

First, I wanna see what's inside these suspicious folders.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :dir
    c:\documents and settings\charles ray\[06AFB7]
    c:\documents and settings\charles ray\[035799]
    c:\documents and settings\charles ray\[035798]
    c:\documents and settings\charles ray\[035797]
    c:\documents and settings\charles ray\[035796]
    c:\documents and settings\charles ray\fat32.1
    c:\documents and settings\charles ray\[FAT32]

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 7:09 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 15:07 on 12/06/2009 by charles ray (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\charles ray\[06AFB7] - Parameters: "(none)"

---Files---
_MGO7&3#.CB2 --a--- 15830937 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3$.CB2 --a--- 15969616 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3%.CB2 --a--- 16008447 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3&.CB2 --a--- 15403381 bytes [21:49 02/05/2001] [13:46 03/05/2001]
_MGO7&3'.CB2 --a--- 15606034 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3(.CB2 --a--- 15975475 bytes [21:49 02/05/2001] [21:49 02/05/2001]
_MGO7&3).CB2 --a--- 16133172 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4!.CB2 --a--- 16198705 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4#.CB2 --a--- 16379147 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&4$.CB2 --a--- 15617727 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&4%.CB2 --a--- 15885018 bytes [21:50 02/05/2001] [21:50 02/05/2001]
_MGO7&4&.CB2 --a--- 14708558 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4'.CB2 --a--- 14304252 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4(.CB2 --a--- 14344899 bytes [21:51 02/05/2001] [21:51 02/05/2001]
_MGO7&4).CB2 --a--- 14672221 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&4.CB2 --a--- 13984463 bytes [21:50 02/05/2001] [13:46 03/05/2001]
_MGO7&5!.CB2 --a--- 13881308 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&5#.CB2 --a--- 13045130 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5$.CB2 --a--- 13926651 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5%.CB2 --a--- 13741857 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5&.CB2 --a--- 12846204 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5'.CB2 --a--- 14207785 bytes [21:52 02/05/2001] [13:46 03/05/2001]
_MGO7&5(.CB2 --a--- 13952356 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5).CB2 --a--- 14731109 bytes [21:52 02/05/2001] [21:52 02/05/2001]
_MGO7&5.CB2 --a--- 13746243 bytes [21:51 02/05/2001] [13:46 03/05/2001]
_MGO7&6!.CB2 --a--- 15445800 bytes [21:53 02/05/2001] [21:53 02/05/2001]
_MGO7&6#.CB2 --a--- 15706436 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6$.CB2 --a--- 15745052 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6%.CB2 --a--- 15608303 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6&.CB2 --a--- 15533566 bytes [21:54 02/05/2001] [21:54 02/05/2001]
_MGO7&6'.CB2 --a--- 15982718 bytes [21:54 02/05/2001] [01:38 03/05/2001]
_MGO7&6(.CB2 --a--- 15975022 bytes [21:55 02/05/2001] [01:38 03/05/2001]
_MGO7&6).CB2 --a--- 14688741 bytes [21:55 02/05/2001] [21:55 02/05/2001]
_MGO7&6.CB2 --a--- 15887222 bytes [21:53 02/05/2001] [21:53 02/05/2001]
_MGO7&7!.CB2 --a--- 14707554 bytes [21:55 02/05/2001] [01:38 03/05/2001]
_MGO7&7#.CB2 --a--- 14336050 bytes [21:56 02/05/2001] [13:46 03/05/2001]
_MGO7&7$.CB2 --a--- 15855069 bytes [21:56 02/05/2001] [13:46 03/05/2001]
_MGO7&7%.CB2 --a--- 15901498 bytes [21:56 02/05/2001] [01:38 03/05/2001]
_MGO7&7&.CB2 --a--- 17613338 bytes [21:57 02/05/2001] [13:46 03/05/2001]
_MGO7&7'.CB2 --a--- 18211797 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&7(.CB2 --a--- 18415781 bytes [21:57 02/05/2001] [01:38 03/05/2001]
_MGO7&7).CB2 --a--- 16330064 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&7.CB2 --a--- 15470332 bytes [21:55 02/05/2001] [13:46 03/05/2001]
_MGO7&8!.CB2 --a--- 16770124 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8#.CB2 --a--- 13533710 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8$.CB2 --a--- 14484757 bytes [21:59 02/05/2001] [01:38 03/05/2001]
_MGO7&8%.CB2 --a--- 16436337 bytes [21:59 02/05/2001] [13:46 03/05/2001]
_MGO7&8&.CB2 --a--- 16828291 bytes [20:00 02/05/2001] [13:46 03/05/2001]
_MGO7&8'.CB2 --a--- 15443097 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8(.CB2 --a--- 15289130 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8).CB2 --a--- 15098548 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&8.CB2 --a--- 16566336 bytes [21:57 02/05/2001] [21:57 02/05/2001]
_MGO7&9!.CB2 --a--- 16345262 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7&9#.CB2 --a--- 17467106 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9$.CB2 --a--- 14150874 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9%.CB2 --a--- 15150644 bytes [20:01 02/05/2001] [20:01 02/05/2001]
_MGO7&9&.CB2 --a--- 16286687 bytes [20:01 02/05/2001] [13:46 03/05/2001]
_MGO7&9'.CB2 --a--- 16739169 bytes [20:03 02/05/2001] [20:03 02/05/2001]
_MGO7&9(.CB2 --a--- 17476366 bytes [20:03 02/05/2001] [01:38 03/05/2001]
_MGO7&9).CB2 --a--- 17540412 bytes [20:03 02/05/2001] [01:38 03/05/2001]
_MGO7&9.CB2 --a--- 14905094 bytes [20:00 02/05/2001] [20:00 02/05/2001]
_MGO7'0#.CB2 --a--- 16125844 bytes [20:05 02/05/2001] [20:05 02/05/2001]
_MGO7'0$.CB2 --a--- 14811211 bytes [20:05 02/05/2001] [01:38 03/05/2001]
_MGO7'0%.CB2 --a--- 13708236 bytes [20:05 02/05/2001] [13:46 03/05/2001]
_MGO7'0&.CB2 --a--- 14715152 bytes [20:05 02/05/2001] [13:46 03/05/2001]
_MGO7'0'.CB2 --a--- 14380715 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0(.CB2 --a--- 14428693 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0).CB2 --a--- 14009474 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'0.CB2 --a--- 16387288 bytes [20:03 02/05/2001] [20:03 02/05/2001]
_MGO7'1!.CB2 --a--- 13626928 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'1#.CB2 --a--- 13422315 bytes [20:06 02/05/2001] [20:06 02/05/2001]
_MGO7'1&.CB2 --a--- 15048833 bytes [20:08 02/05/2001] [13:46 03/05/2001]
_MGO7'1'.CB2 --a--- 14814089 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1(.CB2 --a--- 14691588 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1).CB2 --a--- 16115611 bytes [20:08 02/05/2001] [20:08 02/05/2001]
_MGO7'1.CB2 --a--- 14222145 bytes [20:05 02/05/2001] [01:39 03/05/2001]
_MGO7'2!.CB2 --a--- 14379306 bytes [20:09 02/05/2001] [20:09 02/05/2001]
_MGO7'2#.CB2 --a--- 14370657 bytes [20:09 02/05/2001] [20:09 02/05/2001]
_MGO7'2$.CB2 --a--- 17516800 bytes [20:12 02/05/2001] [20:12 02/05/2001]
_MGO7'2%.CB2 --a--- 17690107 bytes [20:12 02/05/2001] [20:12 02/05/2001]
_MGO7'2&.CB2 --a--- 14835749 bytes [20:13 02/05/2001] [20:13 02/05/2001]
_MGO7'2'.CB2 --a--- 13337011 bytes [20:13 02/05/2001] [20:13 02/05/2001]
_MGO7'2(.CB2 --a--- 13586127 bytes [20:14 02/05/2001] [13:46 03/05/2001]
_MGO7'2).CB2 --a--- 13747924 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'2.CB2 --a--- 14770224 bytes [20:08 02/05/2001] [13:46 03/05/2001]
_MGO7'3!.CB2 --a--- 15206232 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'3#.CB2 --a--- 15863774 bytes [20:15 02/05/2001] [01:39 03/05/2001]
_MGO7'3$.CB2 --a--- 14796171 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3%.CB2 --a--- 13624408 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3&.CB2 --a--- 13297799 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3'.CB2 --a--- 13248159 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3(.CB2 --a--- 13699231 bytes [20:16 02/05/2001] [13:46 03/05/2001]
_MGO7'3).CB2 --a--- 13633210 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'3.CB2 --a--- 14110279 bytes [20:14 02/05/2001] [20:14 02/05/2001]
_MGO7'4!.CB2 --a--- 13585486 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4#.CB2 --a--- 14180603 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4$.CB2 --a--- 14254760 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4%.CB2 --a--- 15607165 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4&.CB2 --a--- 15288970 bytes [20:17 02/05/2001] [20:17 02/05/2001]
_MGO7'4'.CB2 --a--- 16328421 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4(.CB2 --a--- 15517278 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4).CB2 --a--- 15239111 bytes [20:17 02/05/2001] [13:46 03/05/2001]
_MGO7'4.CB2 --a--- 13520593 bytes [20:16 02/05/2001] [01:39 03/05/2001]
_MGO7'5!.CB2 --a--- 14199868 bytes [20:18 02/05/2001] [13:46 03/05/2001]
_MGO7'5#.CB2 --a--- 12775231 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5$.CB2 --a--- 13058826 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5%.CB2 --a--- 14385851 bytes [20:18 02/05/2001] [20:18 02/05/2001]
_MGO7'5&.CB2 --a--- 12837592 bytes [20:18 02/05/2001] [01:39 03/05/2001]
_MGO7'5'.CB2 --a--- 13510099 bytes [20:18 02/05/2001] [01:39 03/05/2001]
_MGO7'5(.CB2 --a--- 13582957 bytes [20:18 02/05/2001] [13:46 03/05/2001]
_MGO7'5).CB2 --a--- 12299875 bytes [20:19 02/05/2001] [13:46 03/05/2001]
_MGO7'5.CB2 --a--- 14312904 bytes [20:17 02/05/2001] [01:39 03/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035799] - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\documents and settings\charles ray\[035798] - Parameters: "(none)"

---Files---
R@3&1 --a--- 0 bytes [13:14 13/05/2001] [13:14 13/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035797] - Parameters: "(none)"

---Files---
_BECTO~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\[035796] - Parameters: "(none)"

---Files---
DE1!.CB2 --a--- 12355752 bytes [20:20 02/05/2001] [20:20 02/05/2001]
DE1.CB2 --a--- 12412261 bytes [20:08 02/05/2001] [20:08 02/05/2001]
DE2.CB2 --a--- 13500843 bytes [13:32 01/05/2001] [13:32 01/05/2001]
DE3.CB2 --a--- 14936331 bytes [13:33 01/05/2001] [13:33 01/05/2001]
DE4.CB2 --a--- 12542836 bytes [13:31 01/05/2001] [13:31 01/05/2001]
DE5.CB2 --a--- 12061201 bytes [00:07 02/05/2001] [00:07 02/05/2001]
DE6.CB2 --a--- 12108043 bytes [00:28 02/05/2001] [00:28 02/05/2001]
DE7.CB2 --a--- 12378698 bytes [17:28 02/05/2001] [17:28 02/05/2001]
DE8.CB2 --a--- 16852079 bytes [20:03 02/05/2001] [20:03 02/05/2001]
DE9.CB2 --a--- 11380290 bytes [20:07 02/05/2001] [20:07 02/05/2001]
DESKTOP.INI --a--- 65 bytes [20:28 01/05/2001] [20:28 01/05/2001]
INFO2 --a--- 9620 bytes [20:28 01/05/2001] [01:33 03/05/2001]

---Folders---
None found.

c:\documents and settings\charles ray\fat32.1 - Parameters: "(none)"

---Files---
DCIM --a--- 0 bytes [17:41 07/04/2001] [17:41 07/04/2001]
RECICLED --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]
SISDEM~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
[035796] d----- [03:33 18/05/2009]

c:\documents and settings\charles ray\[FAT32] - Parameters: "(none)"

---Files---
DCIM --a--- 0 bytes [17:41 07/04/2001] [17:41 07/04/2001]
RECICLED --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]
SISDEM~! --a--- 0 bytes [20:28 01/05/2001] [20:28 01/05/2001]

---Folders---
[035796] d----- [03:31 18/05/2009]

-=End Of File=-

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 7:37 pm

Okay, we'll leave them alone for now.

Lets get rid of them malicious folders now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Folders to delete:
c:\docume~1\alluse~1\applic~1\90763116
c:\docume~1\alluse~1\applic~1\10753124
C:\MGlogs
C:\MGtools

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 7:52 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\docume~1\alluse~1\applic~1\90763116" deleted successfully.
Folder "c:\docume~1\alluse~1\applic~1\10753124" deleted successfully.
Folder "C:\MGlogs" deleted successfully.
Folder "C:\MGtools" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 7:56 pm

Okay, that should do it now.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 8:04 pm

my anti spy software detected the following files, upon reboot, can you explain what these are? at present they were neutralized. thanks

1. detected: riskware Trojan.generic Running process: C:\Documents and Settings\charles ray\Local Settings\Temp\SVGInstallTemp.0000\Winstall.exe
2. detected: Trojan program Trojan-Downloader.JS.LuckySploit.o URL: [You must be registered and logged in to see this link.]
3. not found: Trojan program Trojan.Win32.Zapchast.uy File: C:\cleanup.exe
4.detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\DQRO7PRB\eu261en[1].exe
5. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\CTEJODA3\dpp361en[1].exe
6. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\K3EBULET\rc150upd_7l[1].exe
7. detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\WD2BW5M3\zb631upd_en[1].exe
8.detected: riskware Hidden install Running process: C:\Documents and Settings\charles ray\Local Settings\Temporary Internet Files\Content.IE5\I3WFULKN\pse150en[1].exe

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by Belahzur on Fri Jun 12, 2009 8:09 pm

Aside from this file:

C:\cleanup.exe

Which is a false positive, it's part of the avenger. The rest are temp files. You can delete the cleanup.exe in C: drive now.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virus/spyware removal " system security" virus

Post by ct3151 on Fri Jun 12, 2009 9:05 pm

all clear. again, many thanks...you guys are GREAT!!!!

ct3151
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-11
OS OS : xp
Points Points : 27371
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum