GeekPolice Tech DealsLog in

 

Share

descriptionMy computer has the Internet Security Tool virus...can you help me?

more_horiz
Hery Guys,
looks like I have been infected with the Internet security tool virus. Can you help me clean it up? Thanks!
I am getting this error msg:
"X is infected with worm Lsas.blASTER.keylogger....etc"

descriptionRe: My computer has the Internet Security Tool virus...can you help me?

more_horiz
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

descriptionRe: My computer has the Internet Security Tool virus...can you help me?

more_horiz
ComboFix 10-01-24.05 - Gary Kenyon 25/01/2010 10:34:19.1.2 - x86 MINIMAL
Microsoft®️ Windows Vista™️ Home Premium 6.0.6002.2.1252.2.1033.18.3062.2414 [GMT -8:00]
Running from: C:\Users\Gary Kenyon\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\$RECYCLE.BIN\S-1-5-21-1657970030-4244632918-4024502491-500
C:\$RECYCLE.BIN\S-1-5-21-1785644027-1836616090-1490803189-500
C:\Program Files\alot
C:\Program Files\alot\alotUninst.exe
C:\Program Files\alot\bin\alot.dll
C:\Program Files\alot\bin\ALOTSettings.exe
C:\Program Files\alot\bin\BHO\alotBHO.dll
C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\ProgramData\74368735
C:\ProgramData\74368735\74368735.exe
C:\Users\Gary Kenyon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk
C:\Users\Gary Kenyon\Desktop\Security Tool.lnk

descriptionRe: My computer has the Internet Security Tool virus...can you help me?

more_horiz
You did not post a full ComboFix log. Please re-run it, and post a new log.

descriptionRe: My computer has the Internet Security Tool virus...can you help me?

more_horiz
ComboFix 10-01-25.01 - Gary Kenyon 25/01/2010 11:41:23.1.2 - x86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6002.2.1252.2.1033.18.3062.1989 [GMT -8:00]
Running from: c:\users\Gary Kenyon\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-25 19:46 . 2010-01-25 19:46 -------- d-----w- c:\users\Gary Kenyon\AppData\Local\temp
2010-01-25 19:46 . 2010-01-25 19:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-13 09:39 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 09:39 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 16:53 . 2010-01-09 23:42 -------- d-----w- c:\users\Gary Kenyon\Our place improvements

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 19:10 . 2009-01-16 00:39 -------- d-----w- c:\users\Gary Kenyon\AppData\Roaming\LimeWire
2010-01-25 19:04 . 2009-02-21 01:14 1356 ----a-w- c:\users\Gary Kenyon\AppData\Local\d3d9caps.dat
2010-01-25 18:09 . 2008-09-03 00:17 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-01-17 19:52 . 2009-03-12 14:01 -------- d-----w- c:\program files\Mystery Case Files - Huntsville
2010-01-14 15:36 . 2008-09-29 02:06 -------- d-----w- c:\program files\HOTALBUMMyBOX
2010-01-13 11:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-12 00:37 . 2009-08-17 01:45 -------- d-----w- c:\users\Gary Kenyon\AppData\Roaming\HpUpdate
2010-01-09 22:43 . 2009-03-12 13:44 -------- d-----w- c:\program files\bfgclient
2009-12-24 03:42 . 2009-01-16 00:39 -------- d-----w- c:\program files\LimeWire
2009-12-22 14:02 . 2009-02-26 21:04 -------- d-----w- c:\program files\Google
2009-12-21 03:09 . 2009-12-21 03:03 77354 ----a-w- c:\windows\hpqins05.dat
2009-12-21 03:09 . 2008-04-17 21:40 -------- d-----w- c:\programdata\HP
2009-12-21 03:07 . 2008-09-03 00:06 82080 ----a-w- c:\users\Gary Kenyon\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-21 03:04 . 2009-12-21 03:04 -------- d-----w- c:\programdata\HP Product Assistant
2009-12-10 11:03 . 2008-09-03 00:21 -------- d-----w- c:\programdata\Microsoft Help
2009-12-09 02:16 . 2009-02-26 21:04 -------- d-----w- c:\program files\Common Files\Real
2009-12-09 02:16 . 2009-12-09 02:16 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-06 00:42 . 2009-12-06 00:42 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-03 00:38 . 2009-11-26 00:38 439816 ----a-w- c:\users\Gary Kenyon\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-02 11:19 . 2009-12-02 11:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-02 11:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-02 11:19 . 2009-12-02 11:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-01 06:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-09 14:30 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 14:30 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 14:30 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 14:30 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-09 12:31 . 2009-12-10 11:03 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 11:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 11:03 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 09:17 . 2009-11-26 11:01 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-16 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-26 133656]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 2711552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-03 178712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-09 198160]

c:\users\Gary Kenyon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 05:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2007-11-15 23:17 44168 ----a-w- c:\windows\SMINST\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-03-26 00:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-04-07 09:56 132760 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):31,bc,36,40,51,72,ca,01

R0 PzWDM;PzWDM;c:\windows\System32\drivers\PzWDM.sys [28/09/2008 6:07 PM 15172]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [09/07/2009 11:15 AM 26104]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\System32\drivers\A3AB.sys [25/08/2005 2:00 PM 466880]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [07/10/2009 4:38 PM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [20/01/2008 6:23 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 00:38]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-08 00:38]

2010-01-25 c:\windows\Tasks\User_Feed_Synchronization-{2290F617-57FC-4A82-98E1-99BC0DE22C0E}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.alot.com/?client_id=0EA004B001CA6D363F630422&install_time=24-11-2009:10&src_id=11031&camp_id=-3&tb_version=2.5.4.463
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
FF - ProfilePath - c:\users\Gary Kenyon\AppData\Roaming\Mozilla\Firefox\Profiles\2b5f3b0p.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 11:46
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5900)
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
c:\program files\Common Files\Microsoft Shared\Encarta Search Bar\A\ESBRes.DLL
.
Completion time: 2010-01-25 11:48:33
ComboFix-quarantined-files.txt 2010-01-25 19:48

Pre-Run: 399,100,993,536 bytes free
Post-Run: 399,034,396,672 bytes free

- - End Of File - - 0E38B09A15E724AC1BCDBD4C8BB017D6

descriptionRe: My computer has the Internet Security Tool virus...can you help me?

more_horiz
I take it ComboFix did not warn you to disable the security software?

AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}


==

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:


    SecCenter::
    AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
    FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B

    DirLook::
    c:\users\Gary Kenyon\Our place improvements
    c:\program files\HOTALBUMMyBOX

    DDS::
    uStart Page = hxxp://home.alot.com/?client_id=0EA004B001CA6D363F630422&install_time=24-11-2009:10&src_id=11031&camp_id=-3&tb_version=2.5.4.463

    RegLockDel::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.
Permissions in this forum:
You cannot reply to topics in this forum