Security System Protection Control Panel MalWare

By speklbellybeagl
Apr 15, 2008
Topic Status:
Not open for further replies.
  1. I have a system that is infected. From reading posts of others suffering from the same thing, I have downloaded and installed the following software and am prepared to provide any logs that you may need:

    Hijackthis
    Malwarebytes
    Combofix

    Thanks in advance for any help on this :blush:
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    Run all three in this order,

    Malwarebytes,
    ComboFix
    HijackThis

    Make sure that for ComboFix you disconnect from the internent and turn off all your real time monitoring software then after its done turn it back on and reconnect.

    Then attach the logs here
  3. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Thanks for the quick response!!

    Attached are the log files.
  4. kritius

    kritius TechSpot Guru Posts: 2,087

    Ill look at them later, just about to head out.
  5. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

  6. kritius

    kritius TechSpot Guru Posts: 2,087

    Theres a few things that need fixed but not much, im in work at the minute but ill see if I can write some stuff out in an hour or so.
  7. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Sure, no problem!
  8. kritius

    kritius TechSpot Guru Posts: 2,087

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\jgfulgza.exe
      
      Folder::
      C:\Documents and Settings\All Users\Application Data\vopurwlm
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "kkbbclyh"=-
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    Try that for now.
  9. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Thank you very much. Did you want to see the log from the last ComboFix scan?
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    Yes please, attach it with a fresh HijackThis log.
  11. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Here you go - thanks for all your help!! :)
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Just in work now, ill look over them in a few hours when im home.
  13. kritius

    kritius TechSpot Guru Posts: 2,087

    Is this computer connected as part of a network?
  14. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    it is just a simple laptop on a network - not a key component or anything.
  15. kritius

    kritius TechSpot Guru Posts: 2,087

    *****************************user Edit*****************************
  16. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Yes, *****************************USER EDIT***************************** It's legit.
  17. kritius

    kritius TechSpot Guru Posts: 2,087

    Thats all right then, just had to check.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O4 - Startup: Sonic INSTALLit! Setup.lnk = C:\Documents and Settings\diane\Local Settings\Temp\VIES29CB\SETUP.EXE
    O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin.cab

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Rename HijackThis.exe to speklbellybeagl.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to speklbellybeagl.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
  18. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    It will probably be Monday when I can get the logs posted. Thanks.
  19. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Here is the newest Hijack log and Kaspersky.
  20. kritius

    kritius TechSpot Guru Posts: 2,087

    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\<======Delete the contents of this folder but not the folder itself

    please carry out the following:
    • Please visit Jotti Online Malware Scan
    • Copy the following line into the white text box:
    • C:\WINDOWS\SYSTEM32\acauth.dll
    • Click Submit.
    • Please post the results of this scan to this thread.
    Note: If the server is busy at the above site, try this alternative site:
    • Go to Virus Total-Upload A File.
    • Copy the following line into the white text box:
    • C:\WINDOWS\SYSTEM32\acauth.dll
    • Click Send.
    • Please post the results of this scan to this thread.
  21. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Jotti Scan

    Here is the jotti scan - I just did a copy/paste of the screen to a doc as I did not see an option to move to a log file.
  22. kritius

    kritius TechSpot Guru Posts: 2,087

    Can you just copy and paste the results into a reply?
  23. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    File to upload & scan:


    Service
    Service load: 0% 100%

    File: acauth.dll
    Status: OK
    MD5: fc2e28bbbfb9bfdccb8669c0e37f64e7
    Packers detected: -
    Bit9 reports: Not analyzed yet (more info)



    Scanner results
    Scan taken on 22 Apr 2008 11:17:17 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    Powered by


    Disclaimer
    This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

    Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

    Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

    Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

    Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

    Sponsored by HotelScraper.com.



    Statistics
    Last file scanned at least one scanner reported something about: TomTom_Navigator.exe (MD5: a27f36f36c76d7e6e728e2d4a3354472, size: 1084416 bytes), detected by:
    Scanner Malware name
    A-Squared X
    AntiVir X
    ArcaVir Heur.W32
    Avast X
    AVG Antivirus X
    BitDefender X
    ClamAV X
    CPsecure X
    Dr.Web Trojan.Virtumod.based
    F-Prot Antivirus X
    F-Secure Anti-Virus Packed.Win32.Monder.gen
    Fortinet X
    Ikarus X
    Kaspersky Anti-Virus Packed.Win32.Monder.gen
    NOD32 X
    Norman Virus Control X
    Panda Antivirus X
    Sophos Antivirus Mal/Cazpac-A
    VirusBuster X
    VBA32 X


    You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
    We are not affiliated with any third parties that conduct tests using this service.
  24. speklbellybeagl

    speklbellybeagl Newcomer, in training Topic Starter

    Can you read ok?
  25. kritius

    kritius TechSpot Guru Posts: 2,087

    I dont open .doc files from computers I dont know.

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\WINDOWS\SYSTEM32\acauth.dll
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.