TechSpot

System Check virus infection

Inactive
By 1neednhelp
Feb 25, 2012
  1. Thank you for being here!

    My computer recently exhibited all the behaviors that others have described from the System Check infection. I run Win XP and AVG free antivirus software.

    I have a 2wire router and firewall; I would like to avoid reformat. I do online banking and purchasing, so I am concerned about id and password hacking. If I change passwords after clean bill of health should I be safe 'enough'?

    I read and followed user joe1 thread and have begun the process of disinfection. I utilized the 'UnHide' utility and I have downloaded Malwarebytes' Anti-Malware from step 2 of the Malware preliminary removal instructions. I have run the Malware scan and the log is inserted below.

    Somewhere in the search for a solution to this problems I saw an application/folder name that was not familiar. I tracked it to a folder added to my 'Programs' folder; A new folder had been added titled 'Avenger'; this folder contained two .exe files = euAciyoajy.exe , IXcnzlWvxKdmKY.exe. These files still existed after running the MWB scan. Probably should burn em huh?

    log:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.25.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    russell :: WINXP_HOME-RR [administrator]

    2/25/2012 12:25:56 AM
    mbam-log-2012-02-25 (00-25-56).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 230699
    Time elapsed: 22 minute(s), 19 second(s)

    Memory Processes Detected: 2
    C:\Documents and Settings\All Users\Application Data\euAciyoajy.exe (Rogue.SystemCheck) -> 2040 -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\IXcnzlWvxKdmKY.exe (Rogue.SystemCheck) -> 2608 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 12
    HKCR\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKCR\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
    HKCR\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Detected: 5
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|euAciyoajy.exe (Rogue.SystemCheck) -> Data: C:\Documents and Settings\All Users\Application Data\euAciyoajy.exe -> Quarantined and deleted successfully.
    HKCU\Control Panel\don't load|scui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully.
    HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network|UID (Malware.Trace) -> Data: WINXP_HOME-RR_00036B2E -> Quarantined and deleted successfully.

    Registry Data Items Detected: 19
    HKCU\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|StartMenuLogOff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL|CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 1
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

    Files Detected: 5
    C:\Documents and Settings\All Users\Application Data\euAciyoajy.exe (Rogue.SystemCheck) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\IXcnzlWvxKdmKY.exe (Rogue.SystemCheck) -> Delete on reboot.
    C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

    (end)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  3. 1neednhelp

    1neednhelp TS Rookie Topic Starter

    First time here

    I was asked by someone if this issue was addressed last week; No. I just joined yesterday.

    BTW I cannot download DDS. Also many others are having the same problem [searching with google]
     
  4. 1neednhelp

    1neednhelp TS Rookie Topic Starter

  5. 1neednhelp

    1neednhelp TS Rookie Topic Starter

    Step 3

    results from GMER below.

    I cannot perform step 4 because the link leads to a blank page. Other searches lead to 'page not found' or non-responsive links.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-25 15:54:17
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3200826A rev.3.03
    Running: gmer.exe; Driver: C:\DOCUME~1\russell\LOCALS~1\Temp\kglyaaog.sys


    ---- System - GMER 1.0.15 ----

    SSDT sput.sys ZwCreateKey [0xF77100E0]
    SSDT sput.sys ZwEnumerateKey [0xF7728DA4]
    SSDT sput.sys ZwEnumerateValueKey [0xF7729132]
    SSDT sput.sys ZwOpenKey [0xF77100C0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF7BC4738]
    SSDT sput.sys ZwQueryKey [0xF772920A]
    SSDT sput.sys ZwQueryValueKey [0xF772908A]
    SSDT sput.sys ZwSetValueKey [0xF772929C]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF7BC47DC]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF7BC4878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF7BC4914]

    INT 0x62 ? 86BD7BF8
    INT 0x82 ? 86BD7BF8
    INT 0xB4 ? 869F7BF8
    INT 0xB4 ? 869F7BF8
    INT 0xB4 ? 869F7BF8
    INT 0xB4 ? 869F7BF8
    INT 0xB4 ? 869F7BF8
    INT 0xB4 ? 869F7BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? sput.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload F6AA88AC 5 Bytes JMP 869F71D8
    .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF009D400, 0x7A186, 0xE8000020]
    .protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xF013BA20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xF013BA20]
    .protectÿÿÿÿhardlockunknown last code section [0xF013B800, 0x5041, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF013B800, 0x5041, 0xE0000020]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86B6A2D8
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F773BDDC] sput.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F773BE30] sput.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7711042] sput.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F771113E] sput.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F77110C0] sput.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7711800] sput.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F77116D6] sput.sys
    IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 869F72D8
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7720B90] sput.sys

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 86B661F8

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Fastfat \FatCdrom 86120500

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{D28D6022-32D0-4E17-BABF-0ABA6A535E23} 86126500
    Device \Driver\usbuhci \Device\USBPDO-0 868C71F8
    Device \Driver\usbuhci \Device\USBPDO-1 868C71F8
    Device \Driver\usbuhci \Device\USBPDO-2 868C71F8
    Device \Driver\usbuhci \Device\USBPDO-3 868C71F8
    Device \Driver\usbehci \Device\USBPDO-4 869E01F8

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 86B681F8
    Device \Driver\Cdrom \Device\CdRom0 868CA340
    Device \Driver\Ftdisk \Device\HarddiskVolume2 86B681F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F768AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F768AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F768AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F768AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Ftdisk \Device\HarddiskVolume3 86B681F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 86126500
    Device \Driver\NetBT \Device\NetbiosSmb 86126500

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbuhci \Device\USBFDO-0 868C71F8
    Device \Driver\usbuhci \Device\USBFDO-1 868C71F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8612B500
    Device \Driver\usbuhci \Device\USBFDO-2 868C71F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8612B500
    Device \Driver\usbuhci \Device\USBFDO-3 868C71F8
    Device \Driver\usbehci \Device\USBFDO-4 869E01F8
    Device \Driver\Ftdisk \Device\FtControl 86B681F8
    Device \FileSystem\Fastfat \Fat 86120500

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Cdfs \Cdfs 869021F8

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFF 0xB4 0xD3 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBB 0x91 0x43 0x3D ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0xA5 0x56 0xDD ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFF 0xB4 0xD3 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBB 0x91 0x43 0x3D ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0xA5 0x56 0xDD ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x97 0x20 0x4E 0x9A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

    ---- EOF - GMER 1.0.15 ----
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry for name mix-up- that was my fault- I will sharpen my wits. There has also been a glitch on the board and the email feedback for replies haven't been getting through.

    The problem I'm seeing with these rogues is that the users are 'diagnosing' the problem them selves, but not giving us any information on the problems they are experiencing. There are several very active rogue programs now and while some of the symptoms are the same, they don't all have the same 'fix'.

    We try to make it clear not to follow directions given to someone else> such as:
    You also made a comment regarding this program:
    You have assumed that this is 'bad' because 1. you don't recognize it and 2. it has 2 'strange' .exe files that you thought Mbam should remove.
    The Avenger is a legitimate program that we sometimes use in a cleaning.

    The 2 .exe files you ask about are processes from the Rogue SystemCheck. Although they show 'deleted on boot' there may be additional processes related:
    C:\Documents and Settings\All Users\Application Data\euAciyoajy.exe (Rogue.SystemCheck) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\IXcnzlWvxKdmKY.exe (Rogue.SystemCheck) -> Delete on reboot.

    There are also registry entries for each in Mbam

    As for this question:
    I can't answer that. Your system is heavily infected with several different malwares> Worms, Trojans, 'StolenData, SystemCheck and also Backdoor.bot:

    What is a Backdoor.bot?
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
     
  7. 1neednhelp

    1neednhelp TS Rookie Topic Starter

    Should I go or should I stay?

    All other issues are moot if I cannot safely save my data. I can reinstall the 20 programs I use ... but if I have to throw away all my work from the last 15 years because of undetectable viri then please let me know that now !!!

    Obviously AVG didn't stop this, and joe1 used Microsoft Security Essentials and it didn't prevent infections ... what's a person to do?

    Also, I have an external hard drive that I only plug in occasionally to do backups. I haven't done so in 5-6 months. How do I ensure that it won't be/isn't corrupted.


    Did I do wrong? I started the disinfection by running Unhide and following the 5-steps preliminary process.

    I did move the 2 strange files and change the suffix from ".exe" to ".executed". I did do this before I ran Gmer - did this prevent the discovery process from functioning?
     
  8. 1neednhelp

    1neednhelp TS Rookie Topic Starter

    DDS by sUBS

    I mentioned that I cannot download the DDS program; I have also tried using my sons laptop. The links in the 5-steps opens a blank page only. Searches on google lead to other sites but no action happens when I click the download button.

    what to do?

    Also, since I momentarily renamed those exe programs [which I have put back] do I need to start the process over?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The time to backup is before you need it. If you have 15 years of work on a system with none of it backed up, you may very well lose some of it. There was an uncanny name mixup followed by a glitch in the board that caused email notifications not to go out. You have 4 posts, all made the same day. I didn't get the notice- I thought I had found all the threads I had.

    Part of the problem is because you followed directions meant only for someone else. And you had changed file extensions which made scan to fix that problem, ineffective.

    I also tried to help you understand that your system may have been compromised, documenting what the effects could be. I clearly asked you if you were ready to risk the loss of personal information, passwords, etc. etc. All you did was tell me you didn't want to lose 15 years of work, which I explained, could now be corrupted.

    You want someone to blame for the malware. I can't give you that answer.

    In my opinion, I am advising you to reformat, then reinstall.
    Save files you want and put them in a folder with .old at the end. When you start up again, do a right click and have the AV scan before putting it back on the system
     
  10. 1neednhelp

    1neednhelp TS Rookie Topic Starter

    awaiting help

    Bobbye ... thank you for direct answer at the bottom of your reply. You haven't answered about DDS.

    But you overlooked my statement in the earlier post : "Also, I have an external hard drive that I only plug in occasionally to do backups. I haven't done so in 5-6 months. How do I ensure that it won't be/isn't corrupted." I was asking for civil comments about my data. I do not know where viruses hide so I was asking if the data was easily saveable.

    I find it very frustrating to work with a defensive personality. "Fault"??? You are doing fine with that!

    cheers
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I had hope this comment:
    and the information I provided about the Backdoor.bot would lead you to understand the meaning of my question:
    Somehow I didn't get over the point that your system in all probability had been compromised and some files corrupted. This would include personal files:
    The fact that you followed directions given to someone else and changed some files extensions, put another obstacle in the way of cleaning the system.

    I find the link for DDS working Okay. Here is the URL for it: http://download.bleepingcomputer.com/sUBs/dds.scr

    If the .scr version won't load the program: It possible that the malware is blocking the .scr file extension
    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr. It's the .scr file extension causing the problem.

    But it is a moot point now.
    --------------------------
    Pages not loading or 'unresponsive' may be a server or connection problem. And although some malware entries can be seen and removed, someone can actually be observing the screen on your system.
    ============================
    Worm.Magnia:
    Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
    Downloads/requests other files from Internet.
    Modifies some system settings that may have negative impact on overall system security state. (your security has been disabled)
    Creates a startup registry entry.
    Contains characteristics of an identified security risk.
    Risk: Severe
    ==============================
    Password stealing Trojan,Trojan that steals data
    ================================
    Trojan.Sasfis typically arrives on the computer through one of the following methods:
    Spam email, Drive-by downloads
    Trojan.Sasfis is a Trojan horse that opens a back door on the compromised computer.
    may arrive as a spammed email. Once executed, it injects itself into processes running on the computer so that it can operate stealthily. It may then download more files on to the compromised computer.

    Backdoor.bot info previously given.
    ===============================
    Going by the extent of the malware, you have most likely been getting it for a while. The drive you used for backup may also be infected. It should be disinfected:

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    I hope I have now addressed your questions. I can not give you any guaranties to what you ask about :"Is changing passwords enough"? How can I make sure the backup drive I haven't used for 5-6 months won't get infected or corrupt?

    But I do recommend that you take action soon.
     
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.