PDA

View Full Version : fraud.windowsprotectionsuite removal help please!



kjk86
2011-02-02, 02:23
Like a few people (hours of googling) I, or rather a friend has been infected by this dastardly problem. I get passed on infected pc's all the time as i dont normally have an issue reviving them but this just has me stumped.

as instructed, txt files copied/attached.

Any help would be muchly advised.

I think I should note from other users with this same issue, I had started to follow instructions, Ie, turning off resident and tea timer. also attempted to run HostsXpert but still with the same error code of not being able to write.

Trying to "renew" the hosts file the old fashioned way doesnt work. Searching for it allows me open it up, but no matter what admin privileges i cant overwrite it.

DDS-


DDS (Ver_10-12-12.02) - NTFSx86
Run by all users at 23:04:46.14 on 01/02/2011
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.984.167 [GMT 0:00]

AV: Microsoft Security Essentials *Enabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\OEM\OSD_2.4\OsdService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Users\all users.allusers-PC\Downloads\dds (1).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI;
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI;
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\config\systemprofile\appdata\roaming\sdra64.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Svisidurayapeva] rundll32.exe "c:\users\all users.allusers-pc\appdata\local\ukecagayusaq.dll",Startup
uRun: [Squfadiyurega] rundll32.exe "c:\users\all users.allusers-pc\appdata\local\wsvrer.dll",Startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\alluse~1.all\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 0 = msseces.exe
uPolicies-disallowrun: 1 = MSASCui.exe
uPolicies-disallowrun: 2 = ekrn.exe
uPolicies-disallowrun: 3 = egui.exe
uPolicies-disallowrun: 4 = avgnt.exe
uPolicies-disallowrun: 5 = avcenter.exe
uPolicies-disallowrun: 6 = avscan.exe
uPolicies-disallowrun: 7 = avgfrw.exe
uPolicies-disallowrun: 8 = avgui.exe
uPolicies-disallowrun: 9 = avgtray.exe
uPolicies-disallowrun: 10 = avgscanx.exe
uPolicies-disallowrun: 11 = avgcfgex.exe
uPolicies-disallowrun: 12 = avgemc.exe
uPolicies-disallowrun: 13 = avgchsvx.exe
uPolicies-disallowrun: 14 = avgcmgr.exe
uPolicies-disallowrun: 15 = avgwdsvc.exe
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 209.97.213.115 google.com
Hosts: 209.97.213.115 google.com.au

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-12-22 25896]
R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-6-17 7168]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-22 112128]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S2 0160571296504521mcinstcleanup;McAfee Application Installer Cleanup (0160571296504521);c:\users\alluse~1.all\appdata\local\temp\016057~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\users\alluse~1.all\appdata\local\temp\016057~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1c9b948659a8ada;Google Update Service (gupdate1c9b948659a8ada);c:\program files\google\update\GoogleUpdate.exe [2009-4-9 133104]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

=============== Created Last 30 ================

2011-02-01 22:51:02 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{757df64a-63e8-44dd-b92c-f3c71479e8b4}\gapaengine.dll
2011-02-01 22:45:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-01 22:44:56 98184 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2011-02-01 22:44:56 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-01 22:44:56 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2011-02-01 22:44:56 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2011-02-01 22:44:55 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2011-02-01 22:44:55 328704 ----a-w- c:\windows\system32\BFE.DLL
2011-02-01 22:10:29 -------- d-----w- C:\Hosts
2011-02-01 21:43:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-02-01 20:16:55 -------- d-----w- c:\windows\pss
2011-01-31 21:30:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 19:52:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-31 19:52:39 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-01-31 19:48:33 0 ----a-w- c:\users\alluse~1.all\appdata\local\Gcuyanawifuki.bin
2011-01-31 19:48:31 -------- d-----w- c:\users\alluse~1.all\appdata\local\{D6BCA592-5F95-4600-A1DC-20B2578A9035}
2011-01-28 17:29:52 -------- d-----w- c:\program files\common files\McAfee
2011-01-28 17:29:47 -------- d-----w- c:\program files\McAfee

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: TOSHIBA_MK1652GSX rev.LV010J -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x844B7618]<<
_asm { PUSH EBP; MOV EBP, ESP; MOV ECX, [0xffdf0308]; MOV EAX, [EBP+0x8]; SUB ESP, 0x14; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; CMP EAX, [ECX+0x4]; JNZ 0x59; XOR EDI, EDI; }
1 ntkrnlpa!IofCallDriver[0x81EC7F6F] -> \Device\Harddisk0\DR0[0x84713258]
3 CLASSPNP[0x861A7745] -> ntkrnlpa!IofCallDriver[0x81EC7F6F] -> [0x844A1BA0]
[0x852B5F38] -> IRP_MJ_CREATE -> 0x844B7618
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskTOSHIBA_MK1652GSX_______________________LV010J__#5&348bff3e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x844B74BF
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 23:09:24.96 ===============



I have to zip the spybot results, it makes the post too many characters! BUT have included the text from the log concerning the actual problem

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
safebrowsing-cache.google.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
urs.microsoft.com=74.125.45.100

Fraud.WindowsProtectionSuite: [SBI $B197733A] Redirected host (Redirected host, nothing done)
protected.maxisoftwaremart.com=74.125.45.100

ken545
2011-02-03, 03:41
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Your infected with a Rootkit


Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract the file and run it.
Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
Please post the content of the TDSSKiller log

kjk86
2011-02-03, 11:31
Slight problem, Its now on a boot cycle. I do have access to a couple of live-cd's so it is still possible to fix. obviously I cant now do as suggested.

ken545
2011-02-03, 11:35
Looks like your Master Boot Record is infected and TDSSKiller will fix that if you can get the computer back up and running.



Go to Start> Shut off your Computer> Restart
Or if the computer is off press the power button
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

kjk86
2011-02-03, 11:56
Already had tried that, No suck luck, only thing i can access to is BIOS settings and change boot device.

ken545
2011-02-03, 14:09
If you can try doing a system repair, if you need help I can link you to a windows support site