Please Help, I've got a thing called Paladin Antivirus that is killing my system

[Latent221]

Hi,

I have a program that's installed itself on my system called Paladin Antivirus: It's asking me to go the the Paladin homepage to start a scan (which I haven't done): It is also bringing up numerous System Alerts stating my system is being attacked and a number of Danger and Security Center Alerts informing me of a number of Trogan warnings: I understand that if I downloaded rkill that this may help: Unfortunately this Paladin is not allowing me into any internet sites that may help me. It has also disabled my Malware Bytes and my McAfee...I tried to download spybot but again this program is not allowing my to security systems to open up: Derek, any help would certainly be appreciated.

Paul
Latent221

[Latent221]

Further Follow up: Have attached the DDS.txt & Attach txt (zipped) Unfortately the system has let me download GMER Rootkit Scanner but will not let me run he program: Please advise

Kind regards

Paul
Latent221

[Latent221]

DDS (Ver_09-12-01.01) - NTFSx86 
Run by Paul Campbell at 13:06:23.04 on 09/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.1271.570 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)   {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled*   {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\PAULCA~1\LOCALS~1\Temp\ddexpshare.exe
C:\DOCUME~1\PAULCA~1\LOCALS~1\Temp\cmmon64x.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul Campbell\Desktop\dds.pif

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Shell=Explorer.exe
mWinlogon: userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [lwcyhver] c:\documents and settings\paul campbell\local settings\application data\ktexmh\dgfcsysguard.exe
uRun: [ddexpshare.exe] c:\docume~1\paulca~1\locals~1\temp\ddexpshare.exe
mRun: [CHotkey] mHotkey.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [lwcyhver] c:\documents and settings\paul campbell\local settings\application data\ktexmh\dgfcsysguard.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000}
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {78ABDC59-D8E7-44D3-9A76-9A0918C52B4A} - hxxp://dl.uc.sina.com/cab/downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} - hxxp://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553534500} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - hxxp://lg.home.microsoft.com/search/lobby/searchsettings.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4598/mcfscan.cab
DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} - hxxp://video.vividas.com/CDN1/5029_paramount/en/web/player/vivid_ocx.jpeg
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
LSA: Notification Packages = scecli msl1nsaL.dll
mASetup: {61E3FE32-07B9-4563-A3E0-2DE2D620FE10} - c:\program files\pixiepack codec pack\InstallerHelper.exe

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-10-5 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-5 93320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-5 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-5 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-5 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-3 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-3 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-3 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-3 40552]
S3 pbfilter;pbfilter;\??\c:\program files\peerblock\pbfilter.sys --> c:\program files\peerblock\pbfilter.sys [?]

=============== Created Last 30 ================

2010-02-09 11:21:51   22016   ----a-w-   c:\windows\system32\lkmj.bdo
2010-02-09 09:52:31   22016   ----a-w-   c:\windows\system32\sojs.smo
2010-02-09 09:41:46   0   d-----w-   c:\program files\Paladin Antivirus
2010-02-08 14:07:50   8212   ----a-w-   c:\windows\mfebcdata
2010-02-08 13:53:44   8   ----a-w-   c:\docume~1\alluse~1\applic~1\mswintmp.dat
2010-02-08 13:53:38   49152   ----a-w-   c:\windows\system32\~.exe
2010-02-02 12:32:21   0   d-----w-   c:\program files\iPod
2010-02-02 12:31:12   0   d-----w-   c:\program files\iTunes
2010-02-02 10:54:38   0   d-----w-   c:\program files\Tele Hypnosis Pro De Luxe Multisession 4
2010-01-14 09:50:55   0   d-sh--w-   c:\windows\system32\lowsec
2010-01-13 09:21:03   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll

==================== Find3M  ====================

2010-02-04 13:29:34   96512   ----a-w-   c:\windows\system32\drivers\atapi.sys
2009-12-21 19:14:05   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-11-11 16:46:53   2828   --sha-w-   c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-11-11 16:46:48   88   --sh--r-   c:\docume~1\alluse~1\applic~1\AAD8903BC5.sys

============= FINISH: 13:08:09.17 ===============

[PXHelp]

Hello,

It sounds like someone has stolen you hotmail login and password, if possible from another PC, go and Please download Prevx 3.0 from http://info.prevx.com/downloadcsi.asp

Install it and run a scan, once the scan completes, click on tools, then click Save Scan Results, name the log anything you like then attach it to your next post, please.

I will now review the logs you have supplied. 


Regards,

PXHelp

[Latent221]

Hi,

Have downloaded Prevx on to a disc from another system as mine will not allow me on to the site: I can get on to Yahoo and other generic sites but the system will not allow me on to sites where I could get assistance to kill this thing off. Have inserted the disc on to my system but the virus seems to kill off anything on the disc....Everytime I open my D drive, there appears to be nothing on the disc: This has happened with rkill and with Combofix (drastic measure I know)...........But the system to overide all my attemps to kill this virus off:
Still getting the Paladin Antivirus wanting me to sign up: it's also giving off a number of virus warnings such as:
System Alert: Virus.Chin09.Win
System Aleart: Virus Win32.Gpcode.ak
System Alert: Virus.Backdoor.win32.kbot
Defensless OS.Trogan.win.Agent.Dcc

The system will not allow me to reboot in safe mode at all. The system will not allow me to open up my McAfee or Malware Bytes.

Everytime I get close to downloading something that may help I the system gives me a 30 second warning that it is switching itself off.

I am currently on my wifes system but I need to get in to mine for work.....please help.

Thanks

Latent221
Paul

[PXHelp]

Hello,

I am going to send you a Private Message, please keep a lookout for it 

[Latent221]

Hi,

Have responded to your email and I'm awaiting your response.

Kind regards

Latent221
Paul

[PXHelp]

Lets try this route first.

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

[Latent221]

Hi,

After numerous tries, the system will not allow me to open up the link to Combofix.exe....Everytime I try to get to the bleepingcomputer.com........I get an Internet Explorer cannot open the webpage message.......I have managed to get on to thespykiller though which is certainly an improvement on last night: Although I am typing this on my wife's PC.

Please advise and thanks so much for your help.

Latent221
Paul

[Latent221]

Hi:

Just a follow on:

I've downloaded Combofix to a disc from my wife's computer but my system refuses to read the information on the disc: It will just not allow me to open up any programs that will help me kill this off.

Latent221

[Would you do all this for nothing?]

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts

[Information]

  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog

Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Kaspersky Online Scanner

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser