This Scary and Dangerous I Think!

**JonHig** · #1 20th May 2009, 01:36

Today my computer crashed with the Security Center popping up telling me i had been to porno sites and God knows what else and EVERYTHING has been disabled.
I live in Manila and am constantly getting porno sites pop up without me doing a thing.

Anyway what makes this scary is that the apparently genuine Microsoft Security was telling me to update my License in order to put everything right. When i tried to renew the License i was asked for $79. At first i paid that but when nothing happened i contacted my Visa card people and reported it. There are nasty red ticks against everything and my desk top is wiped out (clock as well). I can only get into the net via the little blue Microsoft sign at the bottom of the SC box.

The even more scary part of this is that a Russian girl (i think it is Russian) says something to me when the computer Welcome sign comes up (i am in Vista).. Heaven knows what is going on in the background now. I have installed AVG free edition but have no way of knowing whether it is operating or not.

Can someone PLEASE help me urgently.
My sincere thanks in anticipation.
John

**zerocool** · #2 20th May 2009, 01:56

First of all I would cancel your credit card and get a new one, by the looks of it you have a trojan virus collecting credit card numbers. Download and install spybot, post the log file and evil fantasy will be able to help you out

**JonHig** · #3 20th May 2009, 02:03

Thank you will do that.

**JonHig** · #4 20th May 2009, 02:27

I have downloaded and it had killed off a Malicious Spyware. However i have no way of getting the report ro send over. Everything vanishes as soon as i change over to another site. As i said earlier i have no desktop or anything else for that matter. So what do i do now please?

Thanks again.

**JonHig** · #5 20th May 2009, 03:15

I have had SpyBot do a scan and it has come up with many Red Alerts inc PC Fraud.

BUT the big problem is it cannot do anything about them! It cannot access a file C:\Windows\Wininit ini, Access denied. What to do? As they say in the east.

**evilfantasy** · #6 20th May 2009, 08:08

Quote:

C:\Windows\Wininit ini

This is a legitimate file and deleting it will crash your computer.

This sounds like Virut. Do you see any names of what Spybot found?

Can you transfer over anything and get it to run from a Flash Drive or CD?

**JonHig** · #7 20th May 2009, 17:43

Hello again EF!

It was suggested by another source that i try Malwarebytes. Well it worked like a dream and eradicated 35 red alerts. Since reading your post this morning i did a scan with SpyBot and it came up with the following: MediaPlex Browser (3), Adaware Alert (3). Antivirus Overide (1). Web Trends Live (1), Micrsoft Windows SC Firewall (1) and MW Anti Virus (1). There were MANY more last night before i scanned with MWB. Also this morning a did another scan with MWB and it found nothing! I wonder why?

Re SpyBot. I cannot delete any of these alerts as it keeps going on about being an Administrator etc before it can be done. However i shall reboot (as they suggest i think) and see if anything gets done then.

Finally since the cleaning up was done last night the comp has been disconnected. How come that there so many new alerts after just a few minutes of connection this am? I have Avast and of course the Microsoft firewall stuff on, so how does this rubbish get through and what am i to do in future please?

Thank you once more and best regards.
John

**evilfantasy** · #8 20th May 2009, 17:57

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**JonHig** · #9 20th May 2009, 18:44

Many thanks here is the log...

ComboFix 09-05-20.09 - User 05/21/2009 2:30.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1154 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: MalwareRemovalBot *disabled* (Updated) {C71AE13B-AEAC-45FD-A15D-AF2A0D226945}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Desktop.ini
.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.
2009-05-20 09:17 . 2009-05-21 00:14 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-05-20 09:17 . 2009-05-21 00:14 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-05-20 09:17 . 2009-05-20 09:17 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-29 04:40 . 2009-05-20 06:07 -------- d-----w c:\program files\WOT
2009-04-29 04:26 . 2009-02-05 20:06 51792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-04-28 03:19 . 2009-04-28 03:19 -------- d-----w c:\program files\Trend Micro
2009-04-23 07:39 . 2009-04-23 07:52 -------- d-----w c:\program files\AllSnooker.Info
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-20 14:53 . 2008-09-04 02:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-14 02:53 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-03 09:55 . 2008-09-09 21:44 5972 ----a-w c:\users\User\AppData\Local\d3d9caps.dat
2009-04-12 04:51 . 2007-11-20 09:25 -------- d-----w c:\program files\Java
2009-04-06 14:32 . 2008-11-28 02:51 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-11-28 02:52 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 06:24 . 2008-11-16 01:49 -------- d-----w c:\program files\VS Revo Group
2009-03-24 02:44 . 2008-11-21 06:27 -------- d-----w c:\program files\PCPitstop
2009-03-17 03:38 . 2009-04-16 11:42 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 11:42 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-14 00:58 . 2009-03-14 00:58 0 ----a-w c:\windows\system32\REN6845.tmp
2009-03-14 00:58 . 2009-03-14 00:58 0 ----a-w c:\windows\system32\REN6844.tmp
2009-03-14 00:58 . 2009-03-14 00:58 0 ----a-w c:\windows\system32\REN6805.tmp
2009-03-09 04:19 . 2009-02-04 03:08 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-05 07:04 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-03-05 07:04 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-03-03 04:46 . 2009-04-16 11:42 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 11:42 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-16 11:41 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-16 11:42 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 11:42 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 11:42 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 11:41 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-16 11:42 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 11:42 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-16 11:42 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 11:42 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 11:42 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-16 11:41 26624 ----a-w c:\windows\system32\ieUnatt.exe
2008-12-09 04:50 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2005-01-13 16:47 . 2005-01-13 16:47 61440 ----a-w c:\program files\mdMod1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-10-10 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-27 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" [2007-09-13 222504]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-02-11 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{3E7611F8-8996-4D8F-9407-9E4E780AD628}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{ECEA1A2F-FB73-42CA-B0D3-235CFE68E2C3}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7CE2F739-8FC2-4573-91C6-C8F3326B331F}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{2672872F-6B74-4D8F-B902-FEF6DA9D2437}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{E3193146-C66B-4FC1-A4A2-22F00495FF44}"= UDP:1723:PPTP L2TP IPSec
"{9013E004-CA93-4651-8ED5-FBF584057E9B}"= UDP:47:PPTP L2TP IPSec
"{F1487DE3-76FA-4674-B970-7FEB57B25951}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2512D0B5-F148-4C1E-A97F-6CC0D99FD556}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4E8AAECD-794A-4EA7-A47F-C507F5241923}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{202E1D62-EA46-4B41-B2F7-66DC4D0296E9}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{9584969B-7D2D-4B7F-8918-9EBDE7A39644}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9D61101B-0EAD-419E-B7B5-D13C9EC1BCAA}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{61E553BC-D6E5-4EE3-963E-E2ECE03990EC}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{3612DE6D-A3BA-460B-B13F-A488B62CD9FC}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [4/29/2009 5:26 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswF sBlk.sys [4/29/2009 5:26 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\as wMonFlt.sys [4/29/2009 5:26 AM 51792]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/20/2009 10:17 AM 1153368]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
S2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe [10/3/2008 11:16 PM 37560]
.
Contents of the 'Scheduled Tasks' folder
2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{0DD70391-425F-450C-9822-8ECA8B45D9D0}.job
- c:\windows\system32\msfeedssync.exe [2008-09-06 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.betfair.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_om&c=81&bd=Presario &pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 02:35
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\users\User\AppData\Local\Temp\catchme.dll 53248 bytes executable
scan completed successfully
hidden files: 1
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-960212331-4114999470-3676663911-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{E0289D67-E357-F47D-3DE3-D3ECF07CCC68}*]
"nacfflcejgjpmleofgbfledomhcd"=hex:6a,61,6d,65,66, 68,65,6e,62,6f,64,6b,70,61,
68,6f,70,69,62,6c,00,00
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-21 2:36
ComboFix-quarantined-files.txt 2009-05-21 01:36
ComboFix2.txt 2009-04-29 01:57
Pre-Run: 65,707,470,848 bytes free
Post-Run: 67,210,117,120 bytes free
159 --- E O F --- 2009-05-18 22:12

I thought i had disabled SpyBot bnut apparently not - sorry!!

**evilfantasy** · #10 20th May 2009, 18:46

Is MalwareRemovalBot in Add or Remove Programs?

If so uninstall it. It's a rouge antivirus.