PDA

View Full Version : fraud.windowsProtection suite



zambony4life
2010-08-15, 23:31
hi, i am trying to fix my bosses computer and i had a problem with wireshark antivirus or something like that and it was keeping me from running spybot. i downloaded malewarebytes and used it in safe mode to take care of that problem and reinstalled spybot and found fraud.windowsProtection suite(12 problems) and microsoft.Windows. redirected hosts(3 problems). im trying to keep the computer unplugged from the internet and have another one at my disposial. i plugged the infected one in, backed up with enrut and did the dds log.i would like to thank you in advanced for any help.

here is the dds log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Dale at 13:19:40.62 on Sun 08/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.578 [GMT -7:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {A0E4605E-BE01-4123-8C83-50D024175D21}
FW: My Security Shield *enabled* {7D743688-DA84-44DA-B0D5-9214FACDC904}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dale\Local Settings\Temporary Internet Files\Content.IE5\A9FZYD6T\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: ADC PlugIn: {19090308-636d-4e9b-a1ce-a647b6f794bf} - c:\program files\shk_v10.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\dale\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 secure-plus-payments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-10 135664]

=============== Created Last 30 ================

2010-08-15 19:13:02 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-15 18:49:00 0 d-----w- c:\docume~1\dale\applic~1\Malwarebytes
2010-08-15 18:48:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 18:48:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-15 18:48:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 18:48:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 18:40:47 0 d-----w- C:\Wireshark Antivirus
2010-08-14 16:41:25 0 d-----w- c:\windows\pss
2010-08-14 07:38:39 1550 ----a-w- C:\Wireshark Antivirus.lnk
2010-08-14 05:41:16 0 d-----w- c:\program files\scdata
2010-08-14 05:36:50 98304 ----a-w- c:\program files\conhost.exe
2010-08-14 05:36:48 372224 ----a-w- c:\program files\shk_v10.dll
2010-08-14 05:36:46 60 ----a-w- c:\program files\sh4.dat
2010-08-14 05:36:46 2 ----a-w- c:\program files\sh3.dat
2010-08-14 05:36:44 0 d-----w- c:\program files\Wireshark Antivirus
2010-08-14 05:36:33 0 ----a-w- c:\program files\qtime8_32.exe
2010-08-11 06:24:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-11 06:22:15 0 d-----r- c:\program files\Skype
2010-08-10 03:36:29 0 d-sh--w- c:\documents and settings\dale\IECompatCache
2010-08-05 00:41:51 0 d-sh--w- c:\docume~1\dale\applic~1\My Security Shield
2010-08-05 00:41:49 0 d-sh--w- c:\docume~1\alluse~1\applic~1\MSZIHTGGS
2010-08-05 00:41:31 0 d-sh--w- c:\docume~1\alluse~1\applic~1\510cd2d
2010-07-30 01:11:52 0 d-----w- c:\program files\test
2010-07-30 01:11:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-01-30 18:38:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010013020100131\index.dat

============= FINISH: 13:20:04.59 ===============


i am trying to fix my bosses computer

Personal computers or..... (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

ken545
2010-08-22, 15:19
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Sorry for the delay but the forums are very busy


Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.





Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ken545
2010-08-26, 12:21
Still need help ?