"System Security" headaches

View previous topic View next topic Go down

"System Security" headaches

Post by hansmax on 7th August 2009, 12:34 am

I'm trying to get rid of the "System Security" malware on my son's Vista laptop. I have looked into removal instructions, and downloaded Malwarebytes and Spyware Doctor, however, Malwarebytes freezes at about 35,000 files checked, and I can't update either of them, due to the fact that I can't add them as allowable programs to the Windows firewall because the change settings window of the firewall freezes when I select those programs and click on add (or whatever it says). I attempted to locate his hosts file, thinking that I might try to start the manual removal process (not a small undertaking for me). However, I don't find an "etc" folder in C:/Windows/drivers. The next step is a reformatting, after I get all 130 GB of the files he needs to save transferred somewhere else. Any input as to where I need to go next would be appreciated. I have downloaded the Process Explorer from Systinternals, so I can kill the program for limited periods of time.

Here's his Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:39 PM, on 8/6/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16851)
Boot mode: Normal

Running processes:
C:\Windows\system32\drivers\smss.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\taskeng.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Thansmann\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Thansmann\AppData\Local\Temp\smss.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\cmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Users\Thansmann\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
G:\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\Windows\system32\sdcvddd.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\SYSTEM32\SDCVDDD.DLL
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\Windows\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [19721334] C:\ProgramData\19721334\19721334.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\Windows\system32\winupdate.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\Thansmann\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [Windows System Recover!] C:\Users\Thansmann\AppData\Local\Temp\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\Windows\TEMP\j1ocg7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\Windows\TEMP\j1ocg7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Recover!] C:\Windows\TEMP\login.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\Windows\TEMP\j1ocg7.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1.200\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FFCD10-AA31-4BD9-8763-84BA9CD762FA}: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7FF2B18-DBC5-42BE-8CF5-2AEB8A7CB7AD}: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\SYSTEM32\SDCVDDD.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 11575 bytes

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 7th August 2009, 11:10 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 8th August 2009, 1:30 am

I made an attempt to do the above, but with little success. I renamed the file as instructed. I had to uninstall Spyware Doctor and SuperAntiSpyware to get them to stop running. The computer started shutting down, restarting, shutting down, etc. I am now in safe mode. I couldn't shut down McAfee completely, but ran Combo-Fix anyway. It has given me the names of about 7 files it claims are rootkits. This is getting a little worse each time I try something. Still working at it, and will report back if anything positive happens.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 8th August 2009, 1:36 am

Combo-Fix told me to write the names of the files down. They are:

C:\Windows\system32\drivers\MSIVserv.sys
C:\Windows\system32\drivers\hjgruilikejsxl.sys
(sys32)
C:\Windows\system32\hjgruiajqnuatk.dll
C:\Windows\system32\hjfruivigneijt.dat
C:\Windows\system32\hjgruimgaphcun.dll
C:\Windows\system32\dhgruiqolkxdwe.dat

I rebooted, as instructed. What happens next?

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 8th August 2009, 5:24 pm

Hello.
I know of the rootkits prsence, but thanks anyway.

After reboot, Combofix should continue.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 9th August 2009, 12:12 am

It did not.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 9th August 2009, 12:48 am

I ran it again, and this time it ran all 30-some levels and rebooted. Right now it is preparing the log report, but it has been a while and I think it may be frozen. I'm still getting the System Security malware popping up and nagging me every three minutes or so.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 9th August 2009, 1:00 am

I finally got a log file out of it, but when I tried to paste it here it wouldn't send. It said the message is "too big".

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 9th August 2009, 1:09 am

Can you upload it to rapidshare.com, then copy/paste the share URL back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 10th August 2009, 2:43 pm

[You must be registered and logged in to see this link.]

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 10th August 2009, 3:34 pm

Hello.
That didn't work right.

After uploading, it gives you a URL on the page, not the link from your browser address bar.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 11th August 2009, 6:52 pm

Sorry, hope this works:

[You must be registered and logged in to see this link.]

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 12th August 2009, 2:15 am

I screwed the last one up. Let's try again:

[You must be registered and logged in to see this link.]

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 12th August 2009, 4:46 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

Rootkit::
c:\windows\system32\drivers\hmaawpjpgy.sys
c:\windows\system32\drivers\str.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mjqusdj]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"19721334"=-

Folder::
c:\programdata\19721334

File::
c:\windows\system32\drivers\smss.exe_

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 12th August 2009, 8:23 pm

So far so good. Here's the link:

[You must be registered and logged in to see this link.]

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 12th August 2009, 8:33 pm

One major glitch: When I attempted to open Task Manager or Control Panel I get an error message: "Illegal operation attempted on a registry key that has been marked for deletion."

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 12th August 2009, 9:28 pm

Could be the malware causing it, not sure yet.
Were gonna need to run another script, but first, lets uninstall a few things.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 13th August 2009, 1:40 am

Here it is:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
AIM 6
Alarm Clock v1.0
Apple Mobile Device Support
Apple Software Update
Bonjour
Choice Guard
Compatibility Pack for the 2007 Office system
CyberLink YouCam
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Suite
EA Link
ESU for Microsoft Vista
Fwink
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.30 E1
HP QuickPlay 3.6
HP QuickTouch 1.00 C4
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0087
HP Wireless Assistant
HPNetworkAssistant
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 2
LabelPrint
LimeWire 4.18.8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.11)
MSCU for Microsoft Vista
MSN Webcam Recorder 17.0
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
NVIDIA Drivers
Power2Go
PowerDirector
QuickPlay SlingPlayer 0.4.4
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Encoder (KB954156)
Slingbox Flash Tour
SlingPlayer
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
The Sims™ Life Stories
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb970012)
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6f
Viewpoint Media Player
Vongo
WeatherBug Gadget
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 13th August 2009, 4:27 pm

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Java(TM) 6 Update 2
    LimeWire 4.18.8
    Viewpoint Media Player

  • Click on the Uninstall/Change button at the top.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\drivers\hmaawpjpgy.sys

Registry::
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy]
""=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
""=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
""=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
""=-

Save this as CFscript.txt, save it to your desktop also.
Then drag and drop CFscript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 13th August 2009, 8:29 pm

I can't access the Control Panel.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 13th August 2009, 8:38 pm

I got it in safe mode, but when I click to uninstall, it tells me: "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed."

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 14th August 2009, 6:27 pm

Darn, forgot about that.
Oh well, just run the CFScript for now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 14th August 2009, 6:35 pm

I'm working on it now. I may get interrupted, but now is a good time to say thanks for hanging in there and helping me out. I will post back when I get it all together.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 15th August 2009, 12:15 am

Here's the log:

[You must be registered and logged in to see this link.]

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 15th August 2009, 12:28 am

In a further good news/bad news development, I went back into Control Panel (this time I was able to access it in "regular", not safe, mode. I was then able to uninstall the three programs above without any problem. The bad news is that I am not able to access web pages with either IE or Firefox, even though the network icon in the system tray says the laptop is connected to my home wireless network, with five bars, no less.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 15th August 2009, 1:59 am

Hello.
The log shows Viewpoint still present, uninstall this too: Viewpoint Media Player


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 15th August 2009, 4:19 pm

I thought I uninstalled it yesterday, and it does not show up in the list of installed programs.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Origin on 15th August 2009, 5:36 pm

Please run a full scan with Malwarebytes and post the results back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 15th August 2009, 7:47 pm

Here it is:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6000

8/15/2009 2:44:42 PM
mbam-log-2009-08-15 (14-44-42).txt

Scan type: Quick Scan
Objects scanned: 82837
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "System Security" headaches

Post by Belahzur on 15th August 2009, 8:31 pm

Hello.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "System Security" headaches

Post by hansmax on 16th August 2009, 2:36 am

Everything seems to be good, Belahzur. I seem to be able to access everything, and a winsock repair brought the internet back. One last time, I want to thank you for the large amount of attention you devoted to my problem, and especially for solving it. It's people like you who make the web worth coming back to. Thanks for everything.

hansmax
Novice
Novice

Posts Posts : 20
Joined Joined : 2009-08-07
OS OS : XPMCE, Win7Home
Protection Protection : avast Pro
Points Points : 26842
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum