problems after removed fake system security

View previous topic View next topic Go down

problems after removed fake system security

Post by pulkmyzale on Tue Jul 28, 2009 1:50 pm

Hello, first of all im not sure or i completely removed fake system security.After deleting that random numbers file with icesword and after anti-malware scan and removing all trojans and etc what anti-malware found.Next day i tryed log in into windows xp but after 10 secs black screen and windows loged off.I only can log in with last known good configuration.Seems like theres no more fake security but i cant run most of exe files and cant install most of the programs because of runtime errors or 'windows cannot access the specified device, path, or file.You may not have the appropriate permitions to access the item.'But i CAN run some security programs like ad-aware or iobit security 360 and can install the only program out of ~10 i tryed its winamp.Also cant unrar programs but CAN unzip them.Cant run notepad and copy hijackthis scan.In the deskop all icons are normal , but in the folders exe files what i cant run is not pictures but like white window in the top blue line with 3 white dots in the right.So i dont know or i deleted something important when i got that fake security (i found this site a litle later) or i still have somethink left of that virus.Thanks for help

pulkmyzale
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2009-07-27
OS : XP

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by Belahzur on Tue Jul 28, 2009 5:09 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by pulkmyzale on Tue Jul 28, 2009 5:50 pm

When i install it the icon on deskop and folder is just white window ,not a picture and cant run it.But i have another hijackthis exe renamed to winlogon and i can make 'system scan and save a log file' , but after that i cant open hijackthis.log.

pulkmyzale
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2009-07-27
OS : XP

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by pulkmyzale on Wed Jul 29, 2009 10:56 am

Ok today somehow windows started normally but with some erors i didint see it but i heard sounds.Most exes now works but security still found some same files of that fake security system.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:24, on 2009.07.29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DevManAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CD-R\CDBurnerXP Pro\Tools\NMSAccess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ms18_word.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\8.tmp
C:\WINDOWS\system32\do_not_delete.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\IObit Security 360\IObit Security 360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Documents and Settings\All Users\Documents\incomingas\winlogon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O3 - Toolbar: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe
O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKCU\..\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe
O4 - HKLM\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe
O4 - HKCU\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ms18_word] C:\Documents and Settings\x\ms18_word.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [do_not_delete] C:\WINDOWS\system32\do_not_delete.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O23 - Service: SysUtils Device Manager Agent Service (DevManSvc) - Unknown owner - C:\WINDOWS\system32\DevManAgent.exe
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CD-R\CDBurnerXP Pro\Tools\NMSAccess.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe (file missing)
O23 - Service: npkcmsvc - Unknown owner - (no file)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 10840 bytes

pulkmyzale
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2009-07-27
OS : XP

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by Belahzur on Wed Jul 29, 2009 4:16 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by pulkmyzale on Wed Jul 29, 2009 4:23 pm

DDS (Ver_09-06-26.01) - NTFSx86
Run by x at 19:19:07,39 on 2009.07.29
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.255.85 [GMT 3:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\DevManAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CD-R\CDBurnerXP Pro\Tools\NMSAccess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
svchost.exe C:\WINDOWS\TEMP\VRT4.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\do_not_delete.exe
C:\WINDOWS\system32\ms18_word.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Documents\incomingas\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Mininova Toolbar: {f592709f-ff4a-4862-b659-4afabda56312} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {aa58ed58-01dd-4d91-8333-cf10577473f7} - Google Toolbar Helper
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f592709f-ff4a-4862-b659-4afabda56312} - Mininova Toolbar
TB: Mininova Toolbar: {f592709f-ff4a-4862-b659-4afabda56312} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {B9D1647F-A66A-4695-B249-07901A45FF59} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
uRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
uRun: [ms18_word] c:\documents and settings\x\ms18_word.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mRun: [ms18_word] c:\windows\system32\ms18_word.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
dRun: [Monopod] c:\windows\temp\b.exe
dRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dRun: [ms18_word] c:\documents and settings\x\ms18_word.exe
uExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
StartupFolder: c:\docume~1\x\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Download all with Free Download Manager - [You must be registered and logged in to see this link.] files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] files\free download manager\dlselected.htm
IE: Download web site with Free Download Manager - [You must be registered and logged in to see this link.] files\free download manager\dlpage.htm
IE: Download with Free Download Manager - [You must be registered and logged in to see this link.] files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
IE: {49783ED4-258D-4f9f-BE11-137C18D3E543}
IE: {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\imon.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - [You must be registered and logged in to see this link.]
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: NVDESK32.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-25 64160]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960]
R3 IS360service;IS360service;c:\program files\iobit\iobit security 360\IS360srv.exe [2009-6-16 224528]
RUnknown protect;protect; [x]
S0 lxlwn;lxlwn;c:\windows\system32\drivers\xdsfhp.sys --> c:\windows\system32\drivers\xdsfhp.sys [?]
S2 FAH-01;Folding Service #01; [x]
S2 FAH-02;Folding Service #02; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" --> c:\program files\eset\nod32krn.exe [?]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\x\locals~1\temp\{55638dd9-d5a9-11d3-b74b-204c4f4f5020}\amdmsrio.sys --> c:\docume~1\x\locals~1\temp\{55638dd9-d5a9-11d3-b74b-204c4f4f5020}\AMDMSRIO.sys [?]
UnknownUnknown DevManSvc;DevManSvc; [x]

=============== Created Last 30 ================

2009-07-29 18:00 103 a------- c:\windows\GKLauncherInfo.ini
2009-07-29 17:59 208 a------- c:\windows\freestylegameInfo.xml
2009-07-29 17:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-29 14:15 --d----- c:\program files\2029
2009-07-29 13:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 13:26 53,248 a------- c:\windows\system32\8.tmp
2009-07-29 13:26 44,968 a------- c:\documents and settings\x\ms18_word.exe
2009-07-29 13:26 44,968 a------- c:\windows\system32\ms18_word.exe
2009-07-28 20:35 --d----- c:\program files\Trend Micro
2009-07-27 16:10 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 16:10 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 20:13 67,584 a------- c:\windows\system32\do_not_delete.exe
2009-07-26 20:13 1 a------- c:\windows\system32\_id.dat
2009-07-26 14:28 360,960 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-26 02:45 --d----- c:\docume~1\x\applic~1\DriverCure
2009-07-26 02:45 --d----- c:\program files\common files\ParetoLogic
2009-07-26 02:45 --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-07-26 02:45 --d----- c:\docume~1\alluse~1\applic~1\DriverCure
2009-07-26 02:44 --d----- c:\program files\ParetoLogic
2009-07-26 02:27 166,400 a------- c:\windows\REGEDIT.VEXE
2009-07-26 02:27 23,552 a------- c:\windows\system32\REGEDT32.VEXE
2009-07-26 00:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-25 23:20 --d----- c:\docume~1\x\applic~1\Malwarebytes
2009-07-25 23:18 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-25 23:15 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-25 23:07 --d----- c:\program files\Lavasoft
2009-07-25 23:04 88 a------- c:\windows\system32\88.tmp
2009-07-25 20:58 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-25 16:12 --d----- c:\docume~1\alluse~1\applic~1\12699064
2009-07-25 16:12 380 a------- c:\windows\system32\976099
2009-07-25 16:10 132 a------- c:\windows\system32\75.tmp
2009-07-25 15:59 --d----- c:\program files\Uniblue
2009-07-25 15:59 -cd-h--- c:\docume~1\alluse~1\applic~1\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-07-25 13:49 88 a------- c:\windows\system32\479.tmp
2009-07-23 20:52 --d----- c:\docume~1\x\applic~1\Uniblue
2009-07-23 01:35 --d----- C:\OS
2009-07-23 01:24 --d----- c:\program files\Clear Read-Only
2009-07-22 19:59 55,856 a----r-- c:\windows\system32\vnetinst.dll
2009-07-22 19:59 16,560 a----r-- c:\windows\system32\drivers\vmnetadapter.sys
2009-07-22 19:58 326,192 a------- c:\windows\system32\vmnetdhcp.exe
2009-07-22 19:58 399,920 a------- c:\windows\system32\vmnat.exe
2009-07-22 19:58 26,288 a------- c:\windows\system32\drivers\vmnetuserif.sys
2009-07-22 19:58 50,736 a----r-- c:\windows\system32\vmnetbridge.dll
2009-07-22 19:58 31,280 a----r-- c:\windows\system32\drivers\vmnetbridge.sys
2009-07-22 19:58 18,736 a----r-- c:\windows\system32\drivers\vmnet.sys
2009-07-22 19:58 723,504 a------- c:\windows\system32\vnetlib.dll
2009-07-22 19:57 23,216 a------- c:\windows\system32\drivers\VMkbd.sys
2009-07-22 19:56 --d----- c:\program files\VMware
2009-07-19 02:09 --d----- C:\Python31

==================== Find3M ====================

2009-07-26 14:28 360,960 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-06-26 20:22 2,129,408 a------- c:\windows\system32\python31.dll
2009-06-16 17:45 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 17:45 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 22:24 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 18:26 346,112 a------- c:\windows\system32\localspl.dll
2009-05-05 23:55 26,384 a------- c:\docume~1\x\applic~1\GDIPFONTCACHEV1.DAT
2009-04-03 01:41 22,328 a------- c:\docume~1\x\applic~1\PnkBstrK.sys
2009-03-05 23:05 34 a------- c:\documents and settings\x\jagex_runescape_preferences.dat
2009-03-12 11:26 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-03-12 11:26 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-03-12 11:26 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:19:55,59 ===============

pulkmyzale
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2009-07-27
OS : XP

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by Belahzur on Wed Jul 29, 2009 6:07 pm

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: problems after removed fake system security

Post by pulkmyzale on Thu Jul 30, 2009 12:18 am

Thats bad, thanks for help.

pulkmyzale
Novice
Novice

Status :
Online
Offline

Posts : 5
Joined : 2009-07-27
OS : XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum