Quantcast
Channel: Tech Support Forum - Virus/Trojan/Spyware Help
Viewing all articles
Browse latest Browse all 2798

"INTERNET SECURITY designed to protect" VIRUS

$
0
0
This correspondence is sent from username - crudeoil. Crudeoil’s infected laptop runs on XP and is a 32 bit computer. I am communicating to you from another laptop with all preliminary logs and reports. As such, all necessary downloads of log and reports scanning software and resulting text reports were transmitted to and from infected computer to corresponding computer via flash drive.


The virus on crudeoil’s computer is believed to be INTERNET SECURITY designed to protect. A window popped up containing the above name security program suspiciously soon after a previous window (believed to be a fake ADOBE FLASH PLAYER update ) popped up of which I may have inadvertently activated in passing over it with my mouse. Typically I use the “CTRL/ALT/DEL and end program” termination step for removal of suspected virus pop-up programs when they show up. It may have looked too authentic at the time and I just got lazy.


Also, there appears that another malware type security program already was existing on my computer titled ANTISPYWARE BY ANTISPYWARE LLC(shown to be installed in 2008) when I noticed the above named program in my “add and remove program” section during the “reduction to only one security program” step prior to the logging and reporting step. A Google search of the said program described it as a malware security program that would require a special removal technique. The assumption that it has been there results from the 2008 install date. The fact that it has been there since 2008 is perplexing since in May 2012, I had used TSF’S excellent services to resolve a fake MSE generated virus that caused an inability to connect to the internet. I feel like I would have removed ANTISPYWARE BY ANTISPYWARE LLC at that time in the “reduction to only one security program” step of that procedure. The only other possibility is that it may have been inadvertently installed after the 2012 virus removal procedure with a fake install date of 2008. I am just not sure.


Consequently, the log and reporting providing herein are with the ANTISPYWARE BY ANTISPYWARE LLCstill being shown in the “add and remove program” section of my hard drive. I did remove MSE however to meet the “only one virus program” requirement before logging and reporting.


I might add that all tasks were performed in SAFE MODE. One peculiar occurrence in SAFE MODE noteworthy in the initial attempt to generate the GMER report was the High Zoom view in all windows. While it didn’t seem to affect the DDS scan, in GMER the SAVE button was not seen below the COPY button anywhere on the page at the high magnification. After finding a procedure to reduce the zoom in SAFE MODE, the SAVE button was present and available for activation.


Pasted below is the copy of the text file “dds” generated by the DDS scan. The other DDS scan text file (that was zipped) entitled “attach” and “ark”(also zipped) from the GMER scan are provided as attachment.


Please let me know if you have any other questions that might assist in the resolution of my problem.


Thanking you in advance for you assistance.

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2
Run by Ray at 22:31:00 on 2013-08-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1715 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - c:\program files\wot\WOT.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - c:\program files\wot\WOT.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [GFI Backup 2009 - Home Edition] "c:\progra~1\gfi\gfibac~1\GFIAgent.exe"
uRun: [SanDiskSecureAccess_Manager.exe] c:\documents and settings\ray\application data\sandisk\SanDiskSecureAccess_Manager.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [Internet Security] c:\documents and settings\all users\application data\madefender.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PDFHook] c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf viewer plus\RegistryController.exe
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL
.
============= SERVICES / DRIVERS ===============
.
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 211560]
S2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;c:\progra~1\gfi\gfibac~1\GFIHInst.exe [2009-7-8 440616]
S2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;c:\progra~1\gfi\gfibac~1\GFIHSC~1.EXE [2009-7-8 1410856]
S2 gupdate1c9985165b5feae;Google Update Service (gupdate1c9985165b5feae);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2013-1-25 245760]
S3 cpuz132;cpuz132;\??\c:\docume~1\ray\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\ray\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
.
=============== File Associations ===============
.
FileExt: .reg: Regedit.Document - HKCR\Unknown\Shell=c:\windows\system32\rundll32.exe c:\windows\system32\shell32.dll,OpenAs_RunDLL %1 [default=openas]
ShellExec: Acrobat.exe: print="c:\program files\adobe\acrobat 4.0\acrobat\Acrobat.exe"
ShellExec: Acrobat.exe: printto="c:\program files\adobe\acrobat 4.0\acrobat\Acrobat.exe"
.
=============== Created Last 30 ================
.
2013-08-17 21:59:48 -------- d-----w- C:\1bb7d858529563ae421b1949
2013-08-17 21:35:13 -------- d-----w- C:\571d9f75a08cda6038bb04987d9e6278
2013-08-14 00:20:57 843776 ----a-w- c:\documents and settings\all users\application data\madefender.exe
2013-08-13 16:46:59 7143960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a990ef55-8bec-4560-9241-b2abc636d9ca}\mpengine.dll
2013-08-12 15:20:35 7143960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2013-06-19 02:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-11 20:08:57 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-11 20:08:55 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 04:55:44 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
2013-05-25 05:17:38 826880 ----a-w- c:\windows\system32\wmvdmod.dll
2010-06-24 20:08:26 69586 ----a-w- c:\program files\Halliburton_Log_Viewer.exe
2010-01-08 18:12:38 529288 ----a-w- c:\program files\smartdraw_10J_FCIXM_setup gantt chart.exe
2008-03-26 14:24:32 9575424 ----a-w- c:\program files\HalliburtonLogViewPro950Install.exe
.
============= FINISH: 22:33:40.68 ===============

Attached Files
File Type: zip ark.zip (25.8 KB)
File Type: zip attach.zip (5.4 KB)

Viewing all articles
Browse latest Browse all 2798

Trending Articles