PDA

View Full Version : "System Security" Malware (Inactive)


susqsue
2009-08-05, 10:25
This evening my daughters laptop got infected with a malware program called "System Security". I've spent the last 3 hours trying to learn about this as well as find a removal tool for it. But this program is preventing us from downloading any kind of removal tool. After numerous attempts I finally got away around it to run her Spybot and Spybot is not picking up this malware on her laptop. I did find a previous post (from July) but it appears that the poster did not follow through... your response to her same questions was the following:

From Blade81:
I need to see some logs first to get clearer picture of the situation.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.


I followed this advise and attached is what these logs showed.

Can you offer any help on removing this malware before we end up taking the laptop in and wiping it clean and reinstalling her OS???



DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 2:28:28.29 on Wed 08/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.161 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\KFSH0JW9\dds[1].com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = us.mc500.mail.yahoo.com/mc/welcome?.gx=1&.rand=cep4mn0dnba5n
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [19931094] c:\documents and settings\all users\application data\19931094\19931094.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246505754578
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-16 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-16 108552]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2009-3-19 4442]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-16 907032]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-16 298776]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-3-19 53248]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-5 348752]

=============== Created Last 30 ================

2009-08-05 02:00 <DIR> --d----- c:\program files\Enigma Software Group
2009-08-05 00:56 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-05 00:56 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-05 00:56 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-05 00:56 <DIR> --d----- c:\docume~1\user\applic~1\PC Tools
2009-08-05 00:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-04 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19931094
2009-07-27 12:32 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-07-27 12:32 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-27 12:32 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-07-27 12:32 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-27 12:32 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-07-27 12:32 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-07-21 22:22 <DIR> --d----- c:\program files\MSXML 6.0
2009-07-21 22:20 <DIR> --d----- c:\program files\MSXML 4.0
2009-07-21 15:16 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-21 15:12 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-21 15:12 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-07-21 15:12 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-21 15:12 2,180,480 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-21 15:12 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-21 15:12 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-21 15:09 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-16 16:49 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-16 16:17 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-16 16:17 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-16 16:17 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-16 16:17 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-16 16:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-16 16:17 <DIR> --d----- c:\program files\AVG
2009-07-16 16:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-16 16:17 <DIR> --d----- c:\windows\SxsCaPendDel
2009-07-16 14:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-16 14:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-06-26 12:18 659,456 a------- c:\windows\system32\wininet.dll
2009-06-26 12:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll

============= FINISH: 2:30:19.53 ===============
katana
2009-08-07, 15:48
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Information

Please can you post the logs rather than attaching them, it makes it easier.

The following program/s are regarded as either "Rogue", being bundled with "Adware" or having dubious reputations

Spy Hunter (http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note) << Used to be listed as Rogue

I recommend that you remove Via Add/Remove Programs

----------------------------------------------------------------------------------------
Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://neoshine.co.uk/mina/Downloads/GoodAS-Installer.exe) to your desktop.

( I have renamed the file as some infections will try and block the install )

Double-click GoodAS-Installer.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt





----------------------------------------------------------------------------------------
Step 2

SysProt Antirootkit

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab. In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

MalwareBytes Log
Sysprot Log
How are things running now ?
susqsue
2009-08-09, 02:33
Well, I'm finding that this "system security" malware is not allowing me to open ANY file or folder that might possibly have the means to be used against it.

After numerous attempts, I was finally able to download the Malwarebytes
AntiMalware program, but it would not let me install it on her laptop. Nor will it let me open up her Spybot nor the "Add/Remove programs" in her control panel.

I was able to download and install the Malwarebytes Antimalware file onto her desktop. So now I'm wondering if I use a cable with both ends being USB, could I connect her laptop to her desktop and then have her desktop Malwarebytes scan her laptop as another hard drive?
katana
2009-08-09, 03:48
I wouldn't recommend connecting the infected machine to another one.

Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.



@Echo Off
For /R "%AllUsersProfile%" %%G in (*) DO (
Echo %%~nG|Findstr /R "[A-Za-z]" > nul || Echo %%~nG|Findstr /R "[0-9]">nul&& Echo %%~pG|findstr "%%~nG">nul&& echo %%~dpG>> "%temp%\FTD.txt"
)
If not exist "%Temp%\FTD.txt" echo Nothing Found>>"%Temp%\FTD.txt"
Notepad "%Temp%\FTD.txt"
del /q %0

Double click on look.bat
Please be patient, as this will search the entire disc

Notepad will open, please copy/paste the results here.
katana
2009-08-13, 03:59
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.