Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fake Windows Security Center

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Fake Windows Security Center

Unread postby franosu » April 20th, 2008, 11:38 am

My system has what appears to be a Windows Security Center notice but the site links to paid malware - systemerrorfixer, systemdefender and syscleaner. I can't get rid of it. Please help.

Following is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:47 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\YAHOO!\YOP\SSDK02.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.pvplus.com/citrix/wficat.cab
O16 - DPF: {3637C046-4008-11D5-ADF6-0050DA74F67C} (UniPrintCab Control) - http://www.pvplus.com/citrix/UniPrint.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... ase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8625134508
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: xfdstjwo - C:\WINDOWS\SYSTEM32\xfdstjwo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Microsoft DDE+ server (e0ffa5f0) - Unknown owner - C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe (file missing)
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 13956 bytes
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am
Advertisement
Register to Remove

Re: Fake Windows Security Center

Unread postby ktreffin » April 20th, 2008, 3:54 pm

Hi franosu, Welcome to the forums!Image

My name is Ken, on these forums I am known as ktreffin. I will be helping you with your current problem. Please note that I am still in training at Malware Removal University, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

HiJackThis logs do take some time to review and research. I would appreciate it if while you are waiting, you could please do the following for me:

Please make an Uninstall List using HiJackThis.


To access the Uninstall Manager you would do the following:
    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

As we work together to resolve your problem, please read these instructions carefully. You may wish to print them off or copy them to Notepad.

Lastly, please keep these points in mind:
  • If you have questions, please DON'T hesitate to ask!
  • The instructions I give are specific to your current problem and should not be used on other systems.
  • Please post your replies only to this topic, and please DO NOT start a new thread.
  • Since there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

I am reviewing your log now, and will be back with you shortly. Thank you for your patience.

Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

Re: Fake Windows Security Center

Unread postby franosu » April 20th, 2008, 6:32 pm

Ken, here is the list you requested.

Thanks,

Mark

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AI RoboForm (All Users)
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
AT&T Toolbar
AT&T Yahoo! Applications
BitDefender Antivirus 2008
Boot Camp Services
CardRecovery
Citi Virtual Account Numbers
Citrix ICA Web Client
Command & Conquer 3
DeLorme Street Atlas USA 2007
DeLorme Street Atlas USA 2007 Service Pack 3
GdiplusUpgrade
getPlus(R)_ocx
Google Earth
Google Toolbar for Internet Explorer
GoToMyPC
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Update
Intel(R) PRO Network Connections Drivers
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Macintosh Drivers for Windows XP
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MyFax SendFax Outlook Plug-In
NVIDIA Drivers
Quicken 2008
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Shop for HP Supplies
SnagIt 8
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpyHunter
UniPrint Client 3.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Virtual Earth 3D (Beta)
VMware Tools
Windows Driver Package - Apple Inc. (applebt) Bluetooth (06/27/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Built-in iSight (04/09/2007 1.3.0.0)
Windows Driver Package - Apple Inc. Apple IR Receiver (07/16/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Keyboard (08/30/2007 2.0.1.4)
Windows Driver Package - Apple Inc. Apple Trackpad (08/28/2007 2.0.1.4)
Windows Driver Package - Apple Inc. Apple Trackpad Enabler (08/28/2007 2.0.1.4)
Windows Driver Package - Apple Inc. System (06/21/2007 2.0.0.0)
Windows Driver Package - Atheros (AR5211) Net (04/05/2007 5.3.0.35)
Windows Driver Package - Atheros (AR5416) Net (06/26/2007 6.0.3.94)
Windows Driver Package - Broadcom (BCM43XX) Net (01/08/2007 4.80.75.0)
Windows Driver Package - Marvell (yukonwxp) Net (03/23/2007 10.12.7.3)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 21st, 2008, 9:42 am

Hi Mark,

It does appear that you are infected. Please do the following:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Thanks,
Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

Re: Fake Windows Security Center

Unread postby franosu » April 21st, 2008, 10:06 pm

Here is my new log

thanks,

Mark Franklin

ComboFix 08-04-20.5 - Owner 2008-04-21 21:00:18.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1484 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active

.
The following files were disabled during the run:
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\index.dat
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 10:27 . 2008-04-20 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d--hs---- C:\FOUND.003
2008-04-20 09:48 . 2008-03-28 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 09:48 . 2008-04-21 21:00 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 08:39 . 2008-04-21 20:40 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Program Files\BitDefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-20 08:15 . 2008-04-20 08:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-19 19:07 . 2008-04-19 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:24 . 2008-04-18 08:24 755 --a------ C:\WINDOWS\WIN.INI
2008-04-17 16:39 . 2008-04-17 16:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 16:26 . 2008-04-17 16:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-17 15:58 . 2008-04-17 15:58 <DIR> d--hs---- C:\FOUND.002
2008-04-17 15:49 . 2008-04-17 15:49 3,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-17 15:46 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-17 15:46 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-17 15:46 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-17 15:46 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-17 15:46 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-17 15:46 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-17 15:46 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-17 10:40 . 2008-04-17 10:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-17 07:14 . 2008-04-17 07:14 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-16 15:19 . 2008-04-16 15:19 248,832 --a------ C:\WINDOWS\system32\xfdstjwo.dll
2008-04-15 15:18 . 2008-04-15 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATTTOOLBAR
2008-04-15 09:18 . 2008-04-15 09:18 <DIR> d--h----- C:\WINDOWS\system32\.e0ffa5f0
2008-04-12 07:14 . 2008-04-12 07:14 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Program Files\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATTToolbar
2008-04-07 07:01 . 2008-04-07 07:01 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-28 06:59 . 2008-03-28 06:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-25 08:41 . 2008-03-25 08:41 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 23:09 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2008-03-12 12:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-02-28 13:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\VMware
2008-02-28 13:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-27 00:02 --------- d-----w C:\Program Files\VMware
2008-02-27 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-07-02 15:42 3,820,104 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2007-05-22 01:41 19,968 ----a-w C:\Program Files\Doc1.doc
2007-02-11 15:00 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2006-09-19 15:32 563,712 ----a-w C:\Documents and Settings\Owner\gotomypc_370.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}]
2008-03-27 10:33 1866568 --a------ C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= "C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL" [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 15:03 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 20:58 8429568]
"nwiz"="nwiz.exe" [2007-10-08 20:58 1626112 C:\WINDOWS\system32\nwiz.exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 20:58 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"VMware Tools"="C:\Program Files\VMware\VMware Tools\VMwareTray.exe" [2008-01-16 22:03 117296]
"VMware User Process"="C:\Program Files\VMware\VMware Tools\VMwareUser.exe" [2008-01-16 22:03 375344]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:51 192512]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfdstjwo]
xfdstjwo.dll 2008-04-16 15:19 248832 C:\WINDOWS\system32\xfdstjwo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0ffa5f0]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys [2008-01-16 22:03]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 hgfs;hgfs;C:\WINDOWS\system32\DRIVERS\hgfs.sys [2008-01-16 22:03]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R2 VMMEMCTL;VMware server memory controller;C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-01-16 22:03]
R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;"C:\Program Files\VMware\VMware Tools\vmacthlp.exe" [2008-01-16 22:03]
R3 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
S1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
S2 e0ffa5f0;Microsoft DDE+ server;C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe []
S2 VMTools;VMware Tools Service;"C:\Program Files\VMware\VMware Tools\VMwareService.exe" [2008-01-16 22:03]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-01 13:51]
S3 vmmouse;VMware Pointing Device;C:\WINDOWS\system32\DRIVERS\vmmouse.sys [2008-01-16 22:03]
S3 vmx_svga;vmx_svga;C:\WINDOWS\system32\DRIVERS\vmx_svga.sys [2008-01-16 22:03]
S3 vmxnet;VMware Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\vmxnet.sys [2008-01-16 22:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9eeaa84-e4cd-11dc-8512-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 14:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xfdstjwo.dll
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
.
Completion time: 2008-04-21 21:02:32
ComboFix-quarantined-files.txt 2008-04-22 02:02:32

Pre-Run: 13,985,726,464 bytes free
Post-Run: 15,845,425,152 bytes free

183 --- E O F --- 2008-04-12 08:03:16
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby franosu » April 22nd, 2008, 8:02 am

Sorry,

When I ran the previous log, I had not completely turned off the spyware - this is the most recent log.

Thanks,

Mark Franlin

ComboFix 08-04-20.5 - Owner 2008-04-22 6:58:04.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1512 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 10:27 . 2008-04-20 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d--hs---- C:\FOUND.003
2008-04-20 09:48 . 2008-03-28 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 09:48 . 2008-04-21 21:09 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 08:39 . 2008-04-21 21:14 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Program Files\BitDefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-20 08:15 . 2008-04-20 08:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-19 19:07 . 2008-04-19 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:24 . 2008-04-18 08:24 755 --a------ C:\WINDOWS\WIN.INI
2008-04-17 16:39 . 2008-04-17 16:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 16:26 . 2008-04-17 16:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-17 15:58 . 2008-04-17 15:58 <DIR> d--hs---- C:\FOUND.002
2008-04-17 15:49 . 2008-04-17 15:49 3,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-17 15:46 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-17 15:46 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-17 15:46 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-17 15:46 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-17 15:46 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-17 15:46 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-17 15:46 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-17 10:40 . 2008-04-17 10:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-17 07:14 . 2008-04-17 07:14 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-16 15:19 . 2008-04-16 15:19 248,832 --a------ C:\WINDOWS\system32\xfdstjwo.dll
2008-04-15 15:18 . 2008-04-15 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATTTOOLBAR
2008-04-15 09:18 . 2008-04-15 09:18 <DIR> d--h----- C:\WINDOWS\system32\.e0ffa5f0
2008-04-12 07:14 . 2008-04-12 07:14 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Program Files\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATTToolbar
2008-04-07 07:01 . 2008-04-07 07:01 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-28 06:59 . 2008-03-28 06:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-25 08:41 . 2008-03-25 08:41 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 11:36 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 23:09 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2008-03-12 12:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-28 13:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\VMware
2008-02-28 13:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-27 00:02 --------- d-----w C:\Program Files\VMware
2008-02-27 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-02 15:42 3,820,104 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2007-05-22 01:41 19,968 ----a-w C:\Program Files\Doc1.doc
2007-02-11 15:00 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2006-09-19 15:32 563,712 ----a-w C:\Documents and Settings\Owner\gotomypc_370.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}]
2008-03-27 10:33 1866568 --a------ C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= "C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL" [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 15:03 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 20:58 8429568]
"nwiz"="nwiz.exe" [2007-10-08 20:58 1626112 C:\WINDOWS\system32\nwiz.exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 20:58 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"VMware Tools"="C:\Program Files\VMware\VMware Tools\VMwareTray.exe" [2008-01-16 22:03 117296]
"VMware User Process"="C:\Program Files\VMware\VMware Tools\VMwareUser.exe" [2008-01-16 22:03 375344]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:51 192512]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2007-10-26 15:42 509224]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfdstjwo]
xfdstjwo.dll 2008-04-16 15:19 248832 C:\WINDOWS\system32\xfdstjwo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0ffa5f0]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys [2008-01-16 22:03]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 hgfs;hgfs;C:\WINDOWS\system32\DRIVERS\hgfs.sys [2008-01-16 22:03]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R2 VMMEMCTL;VMware server memory controller;C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-01-16 22:03]
R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;"C:\Program Files\VMware\VMware Tools\vmacthlp.exe" [2008-01-16 22:03]
R3 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
S1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
S2 e0ffa5f0;Microsoft DDE+ server;C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe []
S2 VMTools;VMware Tools Service;"C:\Program Files\VMware\VMware Tools\VMwareService.exe" [2008-01-16 22:03]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-01 13:51]
S3 vmmouse;VMware Pointing Device;C:\WINDOWS\system32\DRIVERS\vmmouse.sys [2008-01-16 22:03]
S3 vmx_svga;vmx_svga;C:\WINDOWS\system32\DRIVERS\vmx_svga.sys [2008-01-16 22:03]
S3 vmxnet;VMware Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\vmxnet.sys [2008-01-16 22:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9eeaa84-e4cd-11dc-8512-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 14:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 06:58:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Ad-Watch Real-Time Scanner]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\AWRTPD.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xfdstjwo.dll
.
Completion time: 2008-04-22 6:58:47
ComboFix-quarantined-files.txt 2008-04-22 11:58:46
ComboFix2.txt 2008-04-22 02:02:36

Pre-Run: 15,760,572,416 bytes free
Post-Run: 15,759,294,464 bytes free

188 --- E O F --- 2008-04-12 08:03:16
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 23rd, 2008, 7:06 pm

Hi Mark,

I have a question for you. Are you familiar with Microsoft DDE+ server? There is a line that is in your log with that name. This may be legitimate, however there is a possibility that it could be malware. If you are familiar with, thats fine, if not we will remove it. I would like you to upload that file and one other so we can get them checked out to make sure they are clean.

Please do the following:

Step #1: Upload malware for scanning

I'd like you to check a file/some files for malware.
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

*===============================================*

Step #2: Run CFScript

Close any open browsers and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\system32\xfdstjwo.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfdstjwo]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]


Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

*===============================================*

Step #3 Download and run Flash_Disinfector

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

*===============================================*

STEP #4 Remove programs using Add / Remove Programs

Please remove the following programs from your computer by completeing the following steps:
  • Please click Start > Control Panel > Add / Remove Programs
  • Please remove the following programs:
      SpyHunter
  • Do not panic if some programs listed are not present.
  • Once you have completed removing the above programs, you may exit the Control Panel

*===============================================*

STEP #5 Things to put in your next reply

Please post the following in your next reply:
  • Results of the Jotti / Virus Total scans
  • Log produced by Combofix after the CFScript
  • A New Hijack This log

Thanks,
Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

Re: Fake Windows Security Center

Unread postby franosu » April 24th, 2008, 12:08 pm

I am not familiar with CFScript - could not find data on my search engine. Please tell me how to run it.

Thanks,

Mark Franklin
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 24th, 2008, 12:35 pm

Hi Mark,

CFScript is not a tool. It is simply something that we create. Look at Step 2 again. Copy and paste the contents of the "code" box into Notepad, and then save it as "CFScript.txt".

Then, as the image shows, drag the CFscritp.txt file into the red Combofix icon.

Image

This will automatically run for you, and it will then produce a log.

Sorry about not being clear. Let me know if you have any other questions or problems.

Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

New logs

Unread postby franosu » April 25th, 2008, 9:40 am

I think the instructions that you gave me solved the problem. Please let me know if the trojan is still there.

Thanks,

Mark Franklin

Antivirus Version Last Update Result
AhnLab-V3 2008.4.24.0 2008.04.24 -
AntiVir 7.8.0.8 2008.04.24 -
Authentium 4.93.8 2008.04.24 -
Avast 4.8.1169.0 2008.04.24 -
AVG 7.5.0.516 2008.04.24 -
BitDefender 7.2 2008.04.24 -
CAT-QuickHeal 9.50 2008.04.24 -
ClamAV 0.92.1 2008.04.24 -
DrWeb 4.44.0.09170 2008.04.24 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5731 2008.04.24 -
Ewido 4.0 2008.04.24 -
F-Prot 4.4.2.54 2008.04.23 -
F-Secure 6.70.13260.0 2008.04.24 -
FileAdvisor 1 2008.04.24 -
Fortinet 3.14.0.0 2008.04.23 -
Ikarus T3.1.1.26 2008.04.24 -
Kaspersky 7.0.0.125 2008.04.24 -
McAfee 5280 2008.04.24 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3052 2008.04.24 -
Norman 5.80.02 2008.04.24 -
Panda 9.0.0.4 2008.04.24 -
Prevx1 V2 2008.04.24 -
Rising 20.41.32.00 2008.04.24 -
Sophos 4.28.0 2008.04.24 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.24 -
TheHacker 6.2.92.290 2008.04.24 -
VBA32 3.12.6.5 2008.04.24 -
VirusBuster 4.3.26:9 2008.04.24 -
Webwasher-Gateway 6.6.2 2008.04.24 -
Additional information
File size: 81984 bytes
MD5...: a952e3b6f8f2cf6d483df54e0b5b4bc4
SHA1..: b773fb1d4bf5859db99ea09d18c38ac8767e00f1
SHA256: b7c5979915a25f003d64da2c89e10a78a1c672b78f06f48ad14141e962a384d5
SHA512: fda848fa7468151b1bc1bd137ea9e6613c8e96d6222aa154a2b4c1b89d7d013b
4da6b325902d84a3608b81d5a82655d38ecb5ea55b4b6d5d19406cf98f58cf6b
PEiD..: -
PEInfo: -


The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

ComboFix 08-04-20.5 - Owner 2008-04-25 7:49:16.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1544 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\xfdstjwo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xfdstjwo.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 10:27 . 2008-04-20 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d--hs---- C:\FOUND.003
2008-04-20 09:48 . 2008-03-28 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 09:48 . 2008-04-24 10:42 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 08:39 . 2008-04-25 07:50 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Program Files\BitDefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-20 08:15 . 2008-04-20 08:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-19 19:07 . 2008-04-19 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:24 . 2008-04-18 08:24 755 --a------ C:\WINDOWS\WIN.INI
2008-04-17 16:39 . 2008-04-17 16:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 16:26 . 2008-04-17 16:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-17 15:58 . 2008-04-17 15:58 <DIR> d--hs---- C:\FOUND.002
2008-04-17 15:49 . 2008-04-17 15:49 3,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-17 15:46 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-17 15:46 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-17 15:46 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-17 15:46 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-17 15:46 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-17 15:46 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-17 15:46 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-17 10:40 . 2008-04-17 10:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-17 07:14 . 2008-04-17 07:14 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-15 15:18 . 2008-04-15 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATTTOOLBAR
2008-04-15 09:18 . 2008-04-15 09:18 <DIR> d--h----- C:\WINDOWS\system32\.e0ffa5f0
2008-04-12 07:14 . 2008-04-12 07:14 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Program Files\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATTToolbar
2008-04-07 07:01 . 2008-04-07 07:01 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-28 06:59 . 2008-03-28 06:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-25 08:41 . 2008-03-25 08:41 <DIR> d-------- C:\Program Files\Virtual Earth 3D

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 11:36 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 23:09 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2008-03-12 12:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-28 13:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\VMware
2008-02-28 13:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-27 00:02 --------- d-----w C:\Program Files\VMware
2008-02-27 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-02 15:42 3,820,104 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2007-05-22 01:41 19,968 ----a-w C:\Program Files\Doc1.doc
2007-02-11 15:00 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2006-09-19 15:32 563,712 ----a-w C:\Documents and Settings\Owner\gotomypc_370.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}]
2008-03-27 10:33 1866568 --a------ C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= "C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL" [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 15:03 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 20:58 8429568]
"nwiz"="nwiz.exe" [2007-10-08 20:58 1626112 C:\WINDOWS\system32\nwiz.exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 20:58 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"VMware Tools"="C:\Program Files\VMware\VMware Tools\VMwareTray.exe" [2008-01-16 22:03 117296]
"VMware User Process"="C:\Program Files\VMware\VMware Tools\VMwareUser.exe" [2008-01-16 22:03 375344]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:51 192512]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2007-10-26 15:42 509224]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfdstjwo]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0ffa5f0]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys [2008-01-16 22:03]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 hgfs;hgfs;C:\WINDOWS\system32\DRIVERS\hgfs.sys [2008-01-16 22:03]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R2 VMMEMCTL;VMware server memory controller;C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-01-16 22:03]
R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;"C:\Program Files\VMware\VMware Tools\vmacthlp.exe" [2008-01-16 22:03]
R3 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
S1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
S2 e0ffa5f0;Microsoft DDE+ server;C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe []
S2 VMTools;VMware Tools Service;"C:\Program Files\VMware\VMware Tools\VMwareService.exe" [2008-01-16 22:03]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-01 13:51]
S3 vmmouse;VMware Pointing Device;C:\WINDOWS\system32\DRIVERS\vmmouse.sys [2008-01-16 22:03]
S3 vmx_svga;vmx_svga;C:\WINDOWS\system32\DRIVERS\vmx_svga.sys [2008-01-16 22:03]
S3 vmxnet;VMware Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\vmxnet.sys [2008-01-16 22:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 14:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 08:31:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\WINDOWS\SYSTEM32\HPZIPM12.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAM FILES\YAHOO!\YOP\YOP.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\PROGRAM FILES\TECHSMITH\SNAGIT 8\TSCHELP.EXE
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\PROGRAM FILES\TECHSMITH\SNAGIT 8\SNAGPRIV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\PROGRAM FILES\YAHOO!\YOP\SSDK02.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-25 8:33:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 13:33:02
ComboFix4.txt 2008-04-22 02:02:36
ComboFix3.txt 2008-04-22 11:58:50
ComboFix2.txt 2008-04-24 15:53:44

Pre-Run: 15,620,096,000 bytes free
Post-Run: 15,618,048,000 bytes free

211 --- E O F --- 2008-04-12 08:03:16
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 27th, 2008, 3:24 pm

Hi Mark,

Looks like we still have a little work to do.

I want to make sure that we get those files analyzed so we can find out if we need to get rid of them. I see that you uploaded one, however there are two files there that we need looked at. Please make sure you follow the directions carefully, so that the files are uploaded properly. Remember, you will have to repeat the process for each file.

Step #1: Upload malware for scanning

I'd like you to check a file/some files for malware.
C:\WINDOWS\system32\bdod.bin
C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.

Step #2: Disable Teatimer

Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.

Step #3: Run CFScript

Close any open browsers and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the box into the window:

Code: Select all
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfdstjwo]


Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #4: Things to put in your next reply

Please post the following in your next reply:
  • Results of the Jotti or Virus Total scans for both of the files uploaded
  • The Combofix log generated after running the CFScript
  • A New Hijack This log

Thanks,
Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

Re: Fake Windows Security Center

Unread postby franosu » April 28th, 2008, 9:13 am

Here are the logs

BDOD

Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.28 -
AntiVir 7.8.0.10 2008.04.28 -
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.28 -
AVG 7.5.0.516 2008.04.28 -
BitDefender 7.2 2008.04.28 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.28 -
DrWeb 4.44.0.09170 2008.04.28 -
eSafe 7.0.15.0 2008.04.27 -
eTrust-Vet 31.3.5741 2008.04.28 -
Ewido 4.0 2008.04.27 -
F-Prot 4.4.2.54 2008.04.27 -
F-Secure 6.70.13260.0 2008.04.28 -
FileAdvisor 1 2008.04.28 -
Fortinet 3.14.0.0 2008.04.28 -
Ikarus T3.1.1.26 2008.04.28 -
Kaspersky 7.0.0.125 2008.04.28 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3059 2008.04.28 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.27 -
Prevx1 V2 2008.04.28 -
Rising 20.42.01.00 2008.04.28 -
Sophos 4.28.0 2008.04.28 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.28 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.28 -
VirusBuster 4.3.26:9 2008.04.27 -
Webwasher-Gateway 6.6.2 2008.04.28 -
Additional information
File size: 81984 bytes
MD5...: a952e3b6f8f2cf6d483df54e0b5b4bc4
SHA1..: b773fb1d4bf5859db99ea09d18c38ac8767e00f1
SHA256: b7c5979915a25f003d64da2c89e10a78a1c672b78f06f48ad14141e962a384d5
SHA512: fda848fa7468151b1bc1bd137ea9e6613c8e96d6222aa154a2b4c1b89d7d013b
4da6b325902d84a3608b81d5a82655d38ecb5ea55b4b6d5d19406cf98f58cf6b
PEiD..: -
PEInfo: -

EOFFA5FO

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

COMBO FIX LOG

ComboFix 08-04-20.5 - Owner 2008-04-28 8:04:51.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1544 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 10:49 . 2008-04-20 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 10:27 . 2008-04-20 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d--hs---- C:\FOUND.003
2008-04-20 09:48 . 2008-03-28 07:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-20 09:48 . 2008-04-20 09:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 09:48 . 2008-04-28 07:51 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-20 08:39 . 2008-04-28 07:52 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Program Files\BitDefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2008-04-20 08:28 . 2008-04-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-04-20 08:15 . 2008-04-20 08:15 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-04-19 19:07 . 2008-04-19 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-19 18:37 . 2008-04-19 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-18 08:24 . 2008-04-18 08:24 755 --a------ C:\WINDOWS\WIN.INI
2008-04-17 16:39 . 2008-04-17 16:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 16:26 . 2008-04-17 16:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-17 15:58 . 2008-04-17 15:58 <DIR> d--hs---- C:\FOUND.002
2008-04-17 15:49 . 2008-04-17 15:49 3,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-17 15:46 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-17 15:46 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-17 15:46 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-17 15:46 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-17 15:46 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-17 15:46 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-17 15:46 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-17 10:40 . 2008-04-17 10:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-17 07:14 . 2008-04-17 07:14 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-15 15:18 . 2008-04-15 15:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATTTOOLBAR
2008-04-15 09:18 . 2008-04-15 09:18 <DIR> d--h----- C:\WINDOWS\system32\.e0ffa5f0
2008-04-12 07:14 . 2008-04-12 07:14 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Program Files\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ATTToolbar
2008-04-12 07:12 . 2008-04-12 07:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATTToolbar
2008-04-07 07:01 . 2008-04-07 07:01 96,577 --a------ C:\WINDOWS\hpqins16.dat
2008-03-28 06:59 . 2008-03-28 06:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-28 06:53 . 2008-03-28 06:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 11:36 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-25 13:41 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-13 23:09 724,984 ----a-w C:\Documents and Settings\Owner\gotomypc_437.exe
2008-03-12 12:54 --------- d-----w C:\Program Files\Citi Virtual Account Numbers
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-28 13:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\VMware
2008-02-28 13:21 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-02 15:42 3,820,104 ----a-w C:\Documents and Settings\Owner\gosetup.exe
2007-05-22 01:41 19,968 ----a-w C:\Program Files\Doc1.doc
2007-02-11 15:00 722,176 ----a-w C:\Documents and Settings\Owner\gotomypc_428.exe
2006-09-19 15:32 563,712 ----a-w C:\Documents and Settings\Owner\gotomypc_370.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}]
2008-03-27 10:33 1866568 --a------ C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= "C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL" [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}"= C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL [2008-03-27 10:33 1866568]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-94be-fd60bb9aae29}]
[HKEY_CLASSES_ROOT\ATTToolbar.ATTTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-29 15:03 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"arc"="C:\WINDOWS\system32\arc.exe" [2006-09-12 14:58 94208]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-08 20:58 8429568]
"nwiz"="nwiz.exe" [2007-10-08 20:58 1626112 C:\WINDOWS\system32\nwiz.exe]
"Apple_KbdMgr"="C:\Program Files\Boot Camp\KbdMgr.exe" [2007-10-08 22:06 419120]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-08 20:58 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-08 20:59 16384512 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"VMware Tools"="C:\Program Files\VMware\VMware Tools\VMwareTray.exe" [2008-01-16 22:03 117296]
"VMware User Process"="C:\Program Files\VMware\VMware Tools\VMwareUser.exe" [2008-01-16 22:03 375344]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 14:51 192512]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2007-10-26 15:42 509224]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-04-12 07:02 160592]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-05-01 11:11:48 6395464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0ffa5f0]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 vmscsi;vmscsi;C:\WINDOWS\system32\DRIVERS\vmscsi.sys [2008-01-16 22:03]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\WINDOWS\system32\AppleOSSMgr.exe [2007-10-08 22:04]
R2 AppleTimeSrv;Apple Time Service;C:\WINDOWS\system32\AppleTimeSrv.exe [2007-10-08 22:05]
R2 hgfs;hgfs;C:\WINDOWS\system32\DRIVERS\hgfs.sys [2008-01-16 22:03]
R2 KeyAgent;KeyAgent;C:\WINDOWS\system32\drivers\KeyAgent.sys [2007-10-08 20:56]
R2 MacHALDriver;Mac HAL;C:\WINDOWS\system32\drivers\MacHALDriver.sys [2007-10-08 20:56]
R2 VMMEMCTL;VMware server memory controller;C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2008-01-16 22:03]
R2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;"C:\Program Files\VMware\VMware Tools\vmacthlp.exe" [2008-01-16 22:03]
R3 keymagic;USB Keyboard HID Filter;C:\WINDOWS\system32\DRIVERS\KeyMagic.sys [2007-10-08 20:56]
S1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
S2 e0ffa5f0;Microsoft DDE+ server;C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.exe []
S2 VMTools;VMware Tools Service;"C:\Program Files\VMware\VMware Tools\VMwareService.exe" [2008-01-16 22:03]
S3 StartupDiskDriver;StartupDiskDriver;C:\WINDOWS\system32\DRIVERS\StartupDiskDriver.sys [2006-09-01 13:51]
S3 vmmouse;VMware Pointing Device;C:\WINDOWS\system32\DRIVERS\vmmouse.sys [2008-01-16 22:03]
S3 vmx_svga;vmx_svga;C:\WINDOWS\system32\DRIVERS\vmx_svga.sys [2008-01-16 22:03]
S3 vmxnet;VMware Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\vmxnet.sys [2008-01-16 22:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 14:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 08:05:16
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-28 8:05:28
ComboFix-quarantined-files.txt 2008-04-28 13:05:28
ComboFix5.txt 2008-04-22 11:58:50
ComboFix4.txt 2008-04-24 15:53:44
ComboFix3.txt 2008-04-25 13:33:06
ComboFix2.txt 2008-04-28 13:00:24

Pre-Run: 15,491,268,608 bytes free
Post-Run: 15,482,421,248 bytes free

177 --- E O F --- 2008-04-12 08:03:16
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 28th, 2008, 9:31 pm

Hi Mark,

Please do the following:

Step #1 Run Kaspersky Online Scan

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the license accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.
Note: It is recommended to disable on board antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Step #2: Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidentally close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply, please post the contents of the Kaspersky Log, along with the contents of the Malwarebytes' Anti-Malware scan.

Thanks,
Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida

Re: Fake Windows Security Center

Unread postby franosu » April 29th, 2008, 11:08 am

Latest logs

Kasp Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 9:21:34 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 730656
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 57677
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:30:38

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\gotomon.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\.e0ffa5f0\e0ffa5f0.core.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\Temp\tmp00000ba9\tmp00000000 Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_618.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1AD09D36-F967-4DF0-A7F3-8363A9600EC5}.bin Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5664.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_260.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\VMware\hgfs.dat Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Bitdefender\Desktop\Profiles\asdict.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\as2core\antispam_sig_10760\aspdict.dat Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db-journal Object is locked skipped
C:\System Volume Information\_restore{8EF306A7-81D6-4213-941B-B741CDE63AF5}\RP4\A0000635.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8EF306A7-81D6-4213-941B-B741CDE63AF5}\RP4\A0000635.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8EF306A7-81D6-4213-941B-B741CDE63AF5}\RP4\A0000635.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{8EF306A7-81D6-4213-941B-B741CDE63AF5}\RP5\change.log Object is locked skipped
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

Scan process completed.

mbam log

Malwarebytes' Anti-Malware 1.11
Database version: 697

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 89436
Time elapsed: 36 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8EF306A7-81D6-4213-941B-B741CDE63AF5}\RP3\A0000364.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xfdstjwo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
franosu
Active Member
 
Posts: 11
Joined: April 20th, 2008, 11:32 am

Re: Fake Windows Security Center

Unread postby ktreffin » April 29th, 2008, 5:08 pm

Hi Mark,

Things are looking better, Kaspersky and Malwarebytes did hit on a few things, but most were infected restore points which we will deal with later. Kaspersky did confirm my suspicions about that e0ffa5f0 file. We need to remove that. Please do the following:

Step #1 Delete all bad folders

Open Windows Explorer by right clicking the Start button and left clicking Explore. Navigate to and find the following FOLDERS:

C:\WINDOWS\system32\.e0ffa5f0

After deleting the above folder, please be sure to empty your recycle bin.

Once you have deleted that folder, please let me know how your system is running. Are you having any other troubles? Please let me know if you are.

Also, in your next reply please post a new Hijack This log for review.

Thanks,
Ken
User avatar
ktreffin
Retired Graduate
 
Posts: 1864
Joined: February 28th, 2007, 11:12 pm
Location: USA, Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware