Jump to content

Fake Windows Security Alert Problem

HexeFroschbein
 Share

Recommended Posts

HexeFroschbein

HexeFroschbein

Posted
Posted

Hi,

I was using Stumble to surf when my laptop was taken over by the Windows Security Alert -- taking me to a number of sites and putting on a sophisticated show inside the tab, looking very much like an official Microsoft anti-virus program that found something dangerous. See the attached picture for the addies.

I had encountered this scam before about a year ago on someone else's computer and the Malwarebytes application removed it. This time, I updated my copy of Malwarebytes, ran it, and it found bad 3 registry entries, but after removing them, the ''wscntfy.exe" (which I suspect is a part of the problem) keeps coming back if I kill it and it's bugging me with an icon in the tray that keeps hassling me about there not being a firewall, inviting me to click on it. Suspending the program only works a limited time, and it's not possible to remove the icon either -- it always comes back. I've used adblock to stop the sites from being accessed as it repeated that trick with opening a tab in firefox and looking like an app about 20 minutes after the first attack, so I'm not sure if it's still active.

I downloaded the Avira program as well, and it also cannot find the problem.

I can see that there are 2 other people being helped currently with similar looking issues, should I just wait and then follow the instructions they got or wait a whilst until the program has an update that squishes the problem?

many thanks for any advice,

Hexe Froschbein

The GMER application crashes, but here is the Defogger log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Gabriela at 22:27:26.93 on 05/11/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.317 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

svchost.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Broadcom\BACS\BacsTray.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe

C:\DOCUMENTS AND SETTINGS\GABRIELA\MY DOCUMENTS\DOWNLOADED STUFF\PROCESSEXPLORER\PROCEXP.EXE

C:\WINDOWS\system32\dllhost.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Documents and Settings\Gabriela\Desktop\Defogger.exe

C:\Documents and Settings\Gabriela\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [showLOMControl] 1 (0x1)

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [sSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\gabriela\startm~1\programs\startup\dragon~1.lnk - c:\program files\scansoft\naturallyspeaking8\program\natspeak.exe

StartupFolder: c:\docume~1\gabriela\startm~1\programs\startup\foldin~1.lnk - c:\documents and settings\gabriela\application data\microsoft\installer\{87c85d28-0633-453d-8d29-98c3a1043f6c}\_40568C262FE03EB186D64D.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: tesco.com\secure

Trusted Zone: tesco.com\www

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: taskmgr.exe - "c:\documents and settings\gabriela\my documents\downloaded stuff\processexplorer\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gabriela\applic~1\mozilla\firefox\profiles\x4f91juh.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Web Search: FLYLADY

FF - prefs.js: browser.startup.homepage - hxxp://www.rememberthemilk.com/home/gabriela.gibson/#section.overview

FF - component: c:\documents and settings\gabriela\application data\mozilla\firefox\profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-11 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-11 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-11 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-11 60936]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-3-13 65536]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2010-05-11 21:26:00 0 ----a-w- c:\documents and settings\gabriela\defogger_reenable

2010-05-11 10:46:55 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-05-11 10:46:44 0 d-----w- c:\program files\Avira

2010-05-11 10:46:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-05-11 08:29:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-11 08:29:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-11 08:29:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-11 08:26:10 0 d-----w- c:\documents and settings\all users\Uniblue

2010-04-20 09:33:28 1899 ----a-w- c:\documents and settings\gabriela\.recently-used.xbel

2010-04-18 17:46:06 0 d-----w- c:\program files\TableNinja

2010-04-17 15:22:19 0 d-----w- c:\program files\Freeciv-2.2.0-gtk2

2010-04-16 17:37:19 0 d-----w- c:\docume~1\gabriela\applic~1\Uniblue

==================== Find3M ====================

2010-03-14 17:31:34 253952 ------w- c:\windows\Setup1.exe

2010-03-14 17:31:22 74752 ----a-w- c:\windows\ST6UNST.EXE

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

2006-06-24 09:55:43 56 -csh--r- c:\windows\system32\CE7EC49839.sys

2006-06-14 20:19:55 56 -csh--r- c:\windows\system32\EDFA114173.sys

2006-06-24 09:55:46 6060 -csha-w- c:\windows\system32\KGyGaAvL.sys

2008-10-14 14:35:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat

============= FINISH: 22:28:38.83 ===============

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello Hexe! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. RootRepeal log
  3. a new fresh DDS log with Attach.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

We'll try alternative software:

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.

  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a
    .ZIP
    file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

Hi Borislav,

Here are the 3 logs you asked for:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4094

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

05/12/2010 9:54:05 PM

mbam-log-2010-05-12 (21-54-05).txt

Scan type: Quick scan

Objects scanned: 147711

Time elapsed: 18 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-13 13:12:38

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Gabriela\LOCALS~1\Temp\pwdyipog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat A8D72D20

---- EOF - GMER 1.0.15 ----

-------------------------------------------------------------------------

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 03/21/2006 3:30:47 PM

System Uptime: 05/13/2010 7:00:22 AM (6 hours ago)

Motherboard: Dell Inc. | |

Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Microprocessor | 1664/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 50 GiB total, 3.686 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.2.2

Apple Software Update

Bonjour

Broadcom Management Programs

CGoban 2

CGoban 3

Conexant HDA D110 MDC V.92 Modem

ContentSAFER for Wizmax

Critical Update for Windows Media Player 11 (KB959772)

Dell Support 5.0.0 (630)

Dell System Restore

Digital Line Detect

Dragon NaturallySpeaking 8

Folding@home-x86

getPlus®_dll

Gnumeric Spreadsheet (With Gtk+ 2.6.10) 1.6.2-rc1

Google Video Player

High Definition Audio Driver Package - KB835221

Holdem Manager

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976002-v5)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

InfraRecorder

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless Software

Internal Network Card Power Management

Java 6 Update 15

Malwarebytes' Anti-Malware

mCore

MCU

mDriver

mDrWiFi

mHlpDell

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft IntelliType Pro 6.2

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Works 7.0

mIWA

mLogView

mMHouse

Modem Helper

Mozilla Firefox (3.6.3)

mPfMgr

mPfWiz

mProSafe

mSSO

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

mWlsSafe

mWMI

mXML

MySQL Server 5.0

mZConfig

NetWaiting

PokerStars

PokerStove version 1.23

PostgreSQL 8.3

PowerDVD 5.7

QuickSet

QuickTime

RealPlayer

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

SitNGo Wizard

SnG Power Tools v1.19b

Sonic Encoders

Synaptics Pointing Device Driver

TableNinja

The GIMP 2.2.11

TightVNC 1.3.9

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

Vim 6.4 (self-installing)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information]

Windows Media Player 11

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB925766

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

WinMerge 2.8.0.0

WinPcap 3.1

WinSCP 3.8.2

WordBiz version 1.8

XEmacs 21.4.19

==== End Of File ===========================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Step 1:

Please, uninstall the following applications:

  1. Adobe Reader 8.2.2

You can read, how to this in:

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

Hi Borislav,

here are the 2 logs,

greetings,

Hexe

JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Thu May 13 20:39:15 2010

Found and removed: C:\Documents and Settings\Gabriela\Application Data\Sun\Java\jre1.6.0_13Found and removed: C:\Documents and Settings\Gabriela\Application Data\Sun\Java\jre1.6.0_14Found and removed: Software\JavaSoft\Java2D\1.5.0_06Found and removed: Software\JavaSoft\Java2D\1.5.0_09Found and removed: Software\JavaSoft\Java2D\1.5.0_11Found and removed: SOFTWARE\Classes\JavaPlugin.150_06Found and removed: SOFTWARE\Classes\JavaPlugin.150_09Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203Found and removed: SOFTWARE\Classes\JavaPlugin.142_03Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\------------------------------------Finished reporting.

ComboFix 10-05-13.01 - Gabriela 05/13/2010 21:01:20.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.476 [GMT 1:00]

Running from: c:\documents and settings\Gabriela\Desktop\Combo-Fix.exe

FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))

.

2010-05-11 08:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-11 08:29 . 2010-05-11 08:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-11 08:29 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-11 08:26 . 2010-05-11 08:26 -------- d-----w- c:\documents and settings\All Users\Uniblue

2010-04-28 08:44 . 2010-03-26 09:33 1496064 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

2010-04-28 08:44 . 2010-03-26 09:33 43008 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2010-04-28 08:44 . 2010-03-26 09:33 339456 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2010-04-28 08:44 . 2010-03-26 09:32 346112 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2010-04-18 17:46 . 2010-04-18 17:46 45 ----a-w- c:\documents and settings\Gabriela\Local Settings\Application Data\machpro.dat

2010-04-18 17:46 . 2010-04-18 17:46 13406 ----a-r- c:\documents and settings\Gabriela\Application Data\Microsoft\Installer\{79A09C10-E19C-44AB-8514-381B5F6DACBC}\_651C95A4B36E8FF577F8C4.exe

2010-04-18 17:46 . 2010-04-18 17:46 13406 ----a-r- c:\documents and settings\Gabriela\Application Data\Microsoft\Installer\{79A09C10-E19C-44AB-8514-381B5F6DACBC}\_42788EC906EBD6C0F335AD.exe

2010-04-18 17:46 . 2010-05-11 00:05 -------- d-----w- c:\program files\TableNinja

2010-04-17 15:22 . 2010-04-24 14:00 -------- d-----w- c:\program files\Freeciv-2.2.0-gtk2

2010-04-16 17:37 . 2010-05-11 08:25 -------- d-----w- c:\documents and settings\Gabriela\Application Data\Uniblue

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-13 19:31 . 2006-03-21 17:15 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-11 08:16 . 2007-05-21 20:34 -------- d-----w- c:\program files\PartyGaming

2010-05-10 23:08 . 2006-05-25 17:47 -------- d-----w- c:\program files\PokerStars

2010-04-22 13:50 . 2008-10-02 12:01 -------- d-----w- c:\documents and settings\Gabriela\Application Data\.freeciv

2010-04-20 09:35 . 2009-12-22 19:41 -------- d-----w- c:\program files\Gnumeric

2010-04-10 15:52 . 2009-07-31 21:56 -------- d-----w- c:\program files\DivX

2010-04-01 15:35 . 2010-01-12 21:50 -------- d-----w- c:\documents and settings\Gabriela\Application Data\gtk-2.0

2010-03-14 17:31 . 2008-11-30 05:22 253952 ------w- c:\windows\Setup1.exe

2010-03-14 17:31 . 2010-03-14 17:31 74752 ----a-w- c:\windows\ST6UNST.EXE

2010-03-10 06:15 . 2005-08-16 04:18 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-03-16 20:11 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2005-08-16 04:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2006-06-24 09:55 . 2006-04-13 09:38 56 -csh--r- c:\windows\system32\CE7EC49839.sys

2006-06-14 20:19 . 2006-06-14 20:19 56 -csh--r- c:\windows\system32\EDFA114173.sys

2006-06-24 09:55 . 2006-04-13 09:38 6060 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ShowLOMControl"="1 (0x1)" [X]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 397312]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2005-07-13 118784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Gabriela\Start Menu\Programs\Startup\

Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-4-11 1994752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\cygwin\\bin\\perl.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [03/13/2009 5:50 AM 65536]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2005 10:10 PM 32512]

.

Contents of the 'Scheduled Tasks' folder

2008-04-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen

uInternet Settings,ProxyOverride = *.local

Trusted Zone: tesco.com\secure

Trusted Zone: tesco.com\www

FF - ProfilePath - c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Web Search: FLYLADY

FF - prefs.js: browser.startup.homepage - hxxp://www.rememberthemilk.com/home/gabriela.gibson/#section.overview

FF - component: c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe

AddRemove-CGoban 2 - c:\windows\system32\javaws.exe

AddRemove-CGoban 3 - c:\windows\system32\javaws.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-13 21:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2710946534-3569665189-4038185510-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2224)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-05-13 21:09:27

ComboFix-quarantined-files.txt 2010-05-13 20:09

Pre-Run: 4,471,263,232 bytes free

Post-Run: 7,919,620,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - E56B9822CC24DFAF4BF7764E430C0A1C

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

Hi Borislav,

ESET found 8 threats which it identified as variants of the Windows Security trojan (I didn't write it down, expecting a log file to be written, but it was something to that effect) and they are still preserved in the qurantine directory. ESET however didn't leave a log.txt file :)

The solicitation balloon is still present after reboot, and so is wscntfy.exe.

Hexe

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted
The solicitation balloon is still present after reboot, and so is wscntfy.exe.

This file is legitimate, don't pay attention on it.

Now:

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Then let me know how are things running now.

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

Hi,

The report goes as follows:

winvnc.exe;c:\program files\tightvnc;Program.WinVnc;;

DL.exe;C:\Program Files\Dark Legacy Client;BackDoor.Pahac.origin;Incurable.Moved.;

WinVNC.exe;C:\Program Files\TightVNC;Program.WinVnc;Moved.;

A0120737.ocx;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1002;Adware.Gdown;Moved.;

A0121773.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1005;BackDoor.Pahac.origin;Incurable.Moved.;

A0121774.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1005;Program.WinVnc;Moved.;

The solicitation balloon is still there, I thought this was part of the virus (since it only popped up after the attack, never seen it before), but I'm not so sure now.

thanks,

Hexe

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Download avz4.zip from: http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: avz-update-button.png
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*]Start AVZ.

[*]Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.

avz-standardscripts-asa-removal.png

[*]Click on the

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

Hi,

The balloon turns up after reboot and only then.

There are two versions, first one is displayed, then the other. When the taskbar hides, the balloons go away, but the icon stays in the tray.

Clicking on them used to start up the firefox hijack where it tries to look like legit software, but I haven't clicked on it since we started to fix it.

cheers,

Hexe

balloon1.bmp

balloon2.bmp

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted
It seems that this is the Windows Security Center, which warns you that there is no firewall and antivirus program. Why do you think this is malware?

Because:

1) I've only ever seen this balloon and icon in conjunction with the Window Security Center scam on another machine about two years ago, and now on my machine when it was infected. I've had this laptop for 3 years now without a firewall of it's own (that is taken care of elsewhere) and never had any nag balloon turn up once. Nor has this balloon or it's icon ever turned up again on the other machine after MBAM cleaned it.

2) Clicking on the balloon (by mistake, since it jumps as other icons are loaded and it's easy to miss the closing cross) brought up the 'scam show' in Firefox. I haven't tried clicking it again since, because I assumed that this is an integral part of the scam.

3) All other balloons that nag me (low battery, update programs etc) tend stay up until closed, they don't vanish on their own accord, since they are meant to inform, not to confuse, and for most users, the short notice would cause stress and not be helpful. Since the scam trades on scaring people, I just assumed this to be another trick.

4) One of the virus cleaners removed 3 registry keys associated with the scam, given that a number of other cleaner programs missed them, I didn't trust the removal to be complete since the balloon stayed around afterwards, so I assumed the laptop was still infected.

Update: I've now decided to risk clicking on it, and it seems to be a legit program(I had the entire thing down as a pure scam, including wscntfy.exe), so, I guess the scam turned the settings to on and then piggy-backed on top of that, and of course the sloppy UI design mentioned in point 3 does not help either.

I turned off the settings, and wscntfy.exe has now gone, so has the icon.

Many thanks for your patient help, sorry for the balloon confusion, I'm not paranoid, but I have proof they are out to get me ;-)

Hexe

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please download and install the latest version of Java from:

www.java.com/en

Then:

Please do an online scan with Kaspersky WebScanner

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, May 19, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, May 19, 2010 15:03:13

Records in database: 4134826

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 148680

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 03:19:34

File name / Threat / Threats count

C:\Documents and Settings\Gabriela\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe Infected: Backdoor.Win32.Poison.awex 1

Selected area has been scanned.

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif
  5. WiNlOgOn.exe
  6. uSeRiNiT.exe

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Link to post
Share on other sites
HexeFroschbein

HexeFroschbein

Posted
  • Author
Posted

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Gabriela on 05/20/2010 at 14:42:48.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Gabriela\Desktop\rkill.exe

Rkill completed on 05/20/2010 at 14:42:52.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.