Results 1 to 3 of 3

Thread: Infected with Antispyware Soft

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    10

    Default Infected with Antispyware Soft

    Hello,

    This evening my computer was infected with Antivirus Soft. It was exhibiting all the signs: fake security warnings, fake system scan screen, all programs disabled, IE redirects to Antivirus Soft webpage, etc etc.

    I was able to open task manager and kill the .exe file. After which I went to msconfig and disabled it from the start-up list. I then went to %Documents and Settings%\user\Local Settings\Application Data\[random string] and delted the exe. (It was named some jibberish, [random string].exe.

    Sadly, this is my work computer which puts me in even more of a bind. I would take this to our IT department, however we no longer have IT support in-house and now have to wait for a remote technician to make a visit. (I had to wait over a month for them just to send someone out to switch the extension on my phone when I moved desks). I would greatly appreciate it if someone could help. Thanks in advance!

    As instructed here's the DDS log and the Attach.txt in a .zip.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by user at 22:09:32.13 on Wed 06/02/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.119 [GMT -6:00]

    AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {860E5DC2-3A32-441D-AEED-A06D4F3C3FC0}
    AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07526210-19C0-48AC-8EB0-B15A9C95859C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\CATPC\CATSYS\CatSystemSvc.exe
    C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Java\jre1.6.0_17\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\OfficeScan NT\tmlisten.exe
    C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
    C:\WINDOWS\TEMP\KVBA23.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
    C:\Program Files\OfficeScan NT\Pccntmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Documents and Settings\user\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uWindow Title = Windows Internet Explorer provided by Siemens
    uStart Page = https://intranet.industry.usa.siemens.com
    uDefault_Page_URL = https://intranet.industry.usa.siemens.com
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    mWinlogon: Userinit=CatUInit
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - Java(tm) Plug-In SSV Helper
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre1.6.0_17\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre1.6.0_17\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    uRun: [CatUserRun] exec32 /wh /c chgreg5 /c
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [USM] c:\program files\siemens\usm\USM.exe
    mRun: [SIECACST] c:\program files\siemens\cardos api\bin\siecacst.exe
    mRun: [OfficeScanNT Monitor] "c:\program files\officescan nt\Pccntmon.exe" -HideWindow
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
    dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firewa~1.lnk - c:\program files\microsoft firewall client\ISATRAY.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
    uPolicies-explorer: NoActiveDesktop = 1 (0x1)
    uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    uPolicies-explorer: NoThumbnailCache = 1 (0x1)
    uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
    uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: GreyMSIAds = 1 (0x1)
    uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    uPolicies-explorer: NoAutoUpdate = 1 (0x1)
    uPolicies-explorer: StartRunNoHOMEPATH = 1 (0x1)
    uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
    uPolicies-system: HideLogonScripts = 0 (0x0)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoPublishingWizard = 1 (0x1)
    mPolicies-explorer: NoWebServices = 1 (0x1)
    mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    mPolicies-system: RunStartupScriptSync = 1 (0x1)
    mPolicies-system: MaxGPOScriptWait = 1800 (0x708)
    mPolicies-system: HideShutdownScripts = 0 (0x0)
    dPolicies-explorer: NoActiveDesktop = 1 (0x1)
    dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: c:\program files\microsoft firewall client\wspwsp.dll
    Trusted Zone: authoria.com
    Trusted Zone: authoria.com\si-salplan
    Trusted Zone: cexp.com\*.ib2b
    Trusted Zone: extremelearning.com
    Trusted Zone: hewitt.com\*.resources
    Trusted Zone: learnatsiemens.com
    Trusted Zone: microsoft.com
    Trusted Zone: monsoon5.com
    Trusted Zone: netglearning.com
    Trusted Zone: sap-ag.de
    Trusted Zone: sap.com
    Trusted Zone: siemenshealthservices.com
    Trusted Zone: skilldialogue.com
    Trusted Zone: skillport.com
    Trusted Zone: skillsoft.com
    Trusted Zone: skillwsa.com
    Trusted Zone: vinimaya.com\*.siemens
    Trusted Zone: authoria.com
    Trusted Zone: authoria.com\si-salplan
    Trusted Zone: cexp.com\*.ib2b
    Trusted Zone: extremelearning.com
    Trusted Zone: hewitt.com\*.resources
    Trusted Zone: learnatsiemens.com
    Trusted Zone: microsoft.com
    Trusted Zone: monsoon5.com
    Trusted Zone: netglearning.com
    Trusted Zone: sap-ag.de
    Trusted Zone: sap.com
    Trusted Zone: siemenshealthservices.com
    Trusted Zone: skilldialogue.com
    Trusted Zone: skillport.com
    Trusted Zone: skillsoft.com
    Trusted Zone: skillwsa.com
    Trusted Zone: vinimaya.com\*.siemens
    DPF: {41E6DDD6-FBD6-4718-80F7-9B160533C2F5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGToolbars50.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
    DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
    DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} - hxxp://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
    DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF}
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CC696B63-4159-11D0-BDCB-0020A90B183A} - hxxp://usbgresw01/esonline/cabs/PVDATECAL9.CAB
    DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab
    Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
    Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R2 CatSystemSvc;CatSystem;c:\windows\catpc\catsys\CatSystemSvc.exe [2009-1-27 607744]
    R2 CBBS;CAT Bulletin Board;c:\program files\siemens\cat bulletin board\CBBS.exe [2002-6-20 65536]
    R2 TmFilter;Trend Micro Filter;c:\program files\officescan nt\TmXPFlt.sys [2008-8-15 230928]
    R2 TmPreFilter;Trend Micro PreFilter;c:\program files\officescan nt\tmpreflt.sys [2008-8-15 36368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
    S3 AsyncSvc;Insight AsyncSvc;c:\commtool\system\asyncsvc.exe [2009-7-27 601344]
    S3 BACnetClientSvc;Insight BACnetClientSvc;c:\commtool\system\bacin.exe [2009-7-27 306432]
    S3 BACnetServerSvc;Insight BACnetServerSvc;c:\commtool\system\bnsvc.exe [2009-7-27 1015040]
    S3 CrossTrunkService;Insight CrossTrunkService;c:\commtool\system\xtsvc.exe [2009-7-27 224512]
    S3 EventLogSvc;Insight EventLogSvc;c:\commtool\Eventlog.exe [2009-7-27 150784]
    S3 EventPrtSvc;Insight EventPrtSvc;c:\commtool\Eventptr.exe [2009-7-27 138496]
    S3 GlobalTablesService;Insight GlobalTablesService;c:\commtool\system\gtsvc.exe [2009-7-27 437504]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-1 24576]
    S3 Insight DBCSServer;Insight DBCSServer;c:\commtool\system\InsightDBCSServer.exe [2009-7-27 1838336]
    S3 Insight MonitorSvc;Insight MonitorSvc;c:\commtool\system\monitor.exe [2009-7-27 81152]
    S3 Insight RENOServer;Insight RENOServer;c:\commtool\system\InsightRENOServer.EXE [2009-7-27 494848]
    S3 LoaderSvc;Insight LoaderSvc;c:\commtool\system\loader.exe [2009-7-27 740608]
    S3 ooams-3;Objectivity AMS;c:\commtool\system\dbmanagr\ooams.exe [2007-10-15 24576]
    S3 ools-13;Objectivity Lock Server;c:\commtool\system\dbmanagr\ools.exe [2007-10-15 98304]
    S3 ResidentPointSvc;Insight ResidentPointSvc;c:\commtool\RPMonitor.exe [2009-7-27 195840]
    S3 SchedulerSvc;Insight SchedulerSvc;c:\commtool\Schedsrv.exe [2009-7-27 97536]
    S3 SoftControllerSvc;Insight Softcontroller Service;c:\commtool\system\vfpsvc.exe [2009-7-27 118080]
    S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\officescan nt\TmProxy.exe [2008-7-2 652552]
    S4 SentinelLM;SentinelLM;c:\program files\siemens\apogee\common\lservnt.exe [2006-7-12 577536]

    ============== File Associations ===============

    .scr=AutoCADScriptFile

    =============== Created Last 30 ================

    2010-06-01 20:01:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
    2010-06-01 20:01:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2010-06-01 20:00:58 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-06-01 14:57:24 0 d-----w- c:\docume~1\user\applic~1\Teleca
    2010-06-01 14:56:04 0 d-----w- c:\program files\common files\Teleca Shared
    2010-06-01 14:53:42 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
    2010-06-01 14:53:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
    2010-06-01 14:53:33 0 d-----w- c:\program files\Spirent Communications
    2010-06-01 14:53:20 0 d-----w- c:\program files\HTC
    2010-06-01 14:50:10 0 d-----w- c:\windows\Downloaded Installations
    2010-05-12 16:18:08 667648 ----a-w- c:\windows\system32\BCMLogon.dll
    2010-05-12 16:18:08 424320 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
    2010-05-12 16:17:54 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
    2010-05-12 16:17:54 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
    2010-05-12 16:17:54 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
    2010-05-12 16:17:54 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
    2010-05-12 16:17:47 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
    2010-05-12 16:17:46 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
    2010-05-12 16:17:46 44032 ----a-w- c:\windows\system32\wltrynt.dll
    2010-05-12 16:17:46 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
    2010-05-12 16:17:46 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
    2010-05-12 16:17:45 86016 ----a-w- c:\windows\system32\preflib.dll
    2010-05-12 16:17:45 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
    2010-05-12 16:16:20 0 d-----w- C:\DELL
    2010-05-04 20:58:17 62196 ---ha-w- c:\windows\system32\mlfcache.dat

    ==================== Find3M ====================

    2010-05-28 20:59:56 17920 ----a-w- c:\documents and settings\user\KWDCACHE.DAT
    2010-05-28 14:45:29 3584 -c--a-w- c:\documents and settings\user\netcache.dat
    2010-05-06 22:17:51 3072 ----a-w- c:\documents and settings\user\cdcache.dat
    2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

    ============= FINISH: 22:10:56.39 ===============
    Attached Files Attached Files

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,728

    Default

    Hello capulinflicker,
    Quote Originally Posted by capulinflicker View Post
    Sadly, this is my work computer which puts me in even more of a bind. I would take this to our IT department, however we no longer have IT support in-house and now have to wait for a remote technician to make a visit. (I had to wait over a month for them just to send someone out to switch the extension on my phone when I moved desks). I would greatly appreciate it if someone could help. Thanks in advance!
    I'm afraid our volunteers cannot take this on.
    Note:
    When the infected computer in question is a company machine in the workplace, or you are an employee.


    The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

    The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.

    More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

    To prevent any possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected, immediately.

    It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.
    http://forums.spybot.info/showpost.p...12&postcount=5

    Best regards,
    Microsoft MVP. Consumer Security 2006-2014


  3. #3
    Junior Member
    Join Date
    Jan 2009
    Posts
    10

    Default

    I thought this might be the case. Sigh. Oh well, thanks anyway.
    Mods, you may delete this thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •