Fake Windows Security Center Infection - Big Mess !

View previous topic View next topic Go down

Fake Windows Security Center Infection - Big Mess !

Post by Resto on 17th September 2009, 4:06 am

My PC with XP SP2 has been infected with some type of malware presenting itself as "Windows Security Center". It looks identical to the screen captures posted about this issue by another user on 9/3/09 at 12:57 pm. I immediately ran MBAM and got the log I will post below. After MBAM finished, I was asked to re-start my computer. After re-starting, things went crazy.

I can get online using Safe Mode with Connections. I can download MBAM and HijackThis, but cannot install them. Apparently, this malware is preventing these programs from operating properly. Additionally, the MBAM and AVG 8.5 I already had installed on my computer no longer work. I did not have HijackThis installed prior to the infection.

Any assistance will be greatly appreciated. Thank you. MBAM Log is as follows:

Malwarebytes' Anti-Malware 1.40
Database version: 2750
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/15/2009 11:54:42 PM
mbam-log-2009-09-15 (23-54-42).txt

Scan type: Quick Scan
Objects scanned: 97065
Time elapsed: 10 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 15
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\cru629.dat -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\fjmpqp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\5RFZPXS2\xdajk[1].html (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\INCN5UBI\cvwjj[1].html (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\QH1A3YX4\cvwjj[1].html (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\X09TFT13\xdajk[1].html (Spyware.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 17th September 2009, 8:30 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 17th September 2009, 1:05 pm

Thank you for your assistance.

I followed your download link and renamed HijackThis to winlogon.exe before saving it. This allowed it to work. Previous attempts without renaming it had been unsuccessful. Here is the requested log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:42 AM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: ??????????????? [You must be registered and logged in to see this link.]
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [11684534] C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe [You must be registered and logged in to see this link.]
O4 - HKUS\S-1-5-18\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6820 bytes

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 17th September 2009, 1:33 pm

Hello.

  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: ??????????????? browser-security.microsoft.com
    O1 - Hosts: ??????????????? antiwareprotect.com
    O1 - Hosts: ??????????????? [You must be registered and logged in to see this link.]
    O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
    O4 - HKLM\..\Run: [11684534] C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe
    O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
    O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe [You must be registered and logged in to see this link.]
    O4 - HKUS\S-1-5-18\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe (User 'Default user')
    O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat


  • Press "Fix Checked"
  • Close Hijack This.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 17th September 2009, 1:48 pm

Ran "System Scan Only" with HijackThis and followed your instructions to fix the checked items.

Malwarebytes still will not run. Fake Security Center Shields are still in bottom right corner (next to clock) and I still get the Security Center pop-ups.

Not sure what to do next.

In case you need it, here is a HijackThis log I ran after following your instructions. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:35 AM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscsvc32.exe
C:\WINDOWS\TEMP\Installer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5905 bytes

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 17th September 2009, 1:51 pm

Probably a rootkit.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 17th September 2009, 2:06 pm

Cannot access AVG 8.5 to disable. The malware seems to have compromised it and occasionally prompts me to uninstall AVG 8.5 (which I have not done)>

Per your instructions, I downloaded ComboFix to desktop, but it will not install (just like HJT and MBAM will not run)

Additionally, HJT will no longer run after the last log I sent you. MBAM has not worked since the first log I sent you last night. Seems to be getting more and more "interesting".

Any additional assistance will be greatly appreciated. Thanks.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 17th September 2009, 2:07 pm

I bet the rootkit is blocking that too, lets try GMER.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by coverunder41 on 17th September 2009, 2:40 pm

I love you man!! Had a simular problem and I follwed your post and it got rid off the rouge program!!

coverunder41
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2009-09-17
OS OS : Vista
Points Points : 26411
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 17th September 2009, 2:46 pm

After running GMER in Safe Mode and noticed several RED root-kit warnings. After saving the log, my computer went to a black screen (with cursor arrow) then shut down and automatically rebooted in normal mode.

Programs will not open. Could not paste GMER results into Notepad, Word or anything, but was able to copy into this reply to you. GMER results look sort of unformatted and messy - I hope you can make sense of it.

I have to go to work, so will not be able to check this again until after 5:00 pm EST.

I hope you have some additional suggestions to help me. Thanks.


GMER 1.0.15.15087 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-17 10:36:31
Windows 5.1.2600 Service Pack 2
Running: 9ntgokqx.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\fxldqpog.sys


---- System - GMER 1.0.15 ----

Code 862E53F0 ZwEnumerateKey
Code 8624BE88 ZwFlushInstructionCache
Code 86227BEE IofCallDriver
Code 863D1196 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 86227BF3
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 863D119B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 8624BE8C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619770 5 Bytes JMP 862E53F4

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[492] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003C0429
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[492] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003C0526
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[492] WS2_32.dll!send 71AB428A 5 Bytes JMP 003C05D0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[492] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003C0543
.text C:\WINDOWS\system32\winlogon.exe[608] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004B0429
.text C:\WINDOWS\system32\winlogon.exe[608] WS2_32.dll!connect 71AB406A 5 Bytes JMP 004B0526
.text C:\WINDOWS\system32\winlogon.exe[608] WS2_32.dll!send 71AB428A 5 Bytes JMP 004B05D0
.text C:\WINDOWS\system32\winlogon.exe[608] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 004B0543
.text C:\WINDOWS\system32\services.exe[660] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\services.exe[660] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\services.exe[660] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\services.exe[660] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\system32\lsass.exe[684] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00390429
.text C:\WINDOWS\system32\lsass.exe[684] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00390526
.text C:\WINDOWS\system32\lsass.exe[684] WS2_32.dll!send 71AB428A 5 Bytes JMP 003905D0
.text C:\WINDOWS\system32\lsass.exe[684] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00390543
.text C:\WINDOWS\system32\svchost.exe[828] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[828] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[828] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[828] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[928] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\System32\svchost.exe[980] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\System32\svchost.exe[980] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\System32\svchost.exe[980] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\System32\svchost.exe[980] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\Explorer.exe[1360] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\Explorer.exe[1360] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\Explorer.exe[1360] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\Explorer.exe[1360] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003C0429
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WININET.dll!HttpAddRequestHeadersA 771C40A2 5 Bytes JMP 00DA000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WININET.dll!HttpAddRequestHeadersW 771CEEDC 5 Bytes JMP 00E9000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WS2_32.dll!connect 71AB406A 5 Bytes JMP 100127E0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WS2_32.dll!send 71AB428A 5 Bytes JMP 100127C0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100129A0
.text C:\Program Files\Internet Explorer\Iexplore.exe[1400] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003C0543
.text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00390429
.text C:\WINDOWS\system32\spoolsv.exe[1596] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00390526
.text C:\WINDOWS\system32\spoolsv.exe[1596] WS2_32.dll!send 71AB428A 5 Bytes JMP 003905D0
.text C:\WINDOWS\system32\spoolsv.exe[1596] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00390543
.text C:\WINDOWS\system32\svchost.exe[1700] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[1700] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[1700] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[1700] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\system32\svchost.exe[1996] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\system32\svchost.exe[1996] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\WINDOWS\System32\alg.exe[2080] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003A0429
.text C:\WINDOWS\System32\alg.exe[2080] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003A0526
.text C:\WINDOWS\System32\alg.exe[2080] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A05D0
.text C:\WINDOWS\System32\alg.exe[2080] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003A0543
.text C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe[2300] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00860429
.text C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe[2300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00860526
.text C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe[2300] WS2_32.dll!send 71AB428A 5 Bytes JMP 008605D0
.text C:\Documents and Settings\All Users\Application Data\11684534\11684534.exe[2300] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00860543
.text C:\WINDOWS\system32\ctfmon.exe[2316] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003B0429
.text C:\WINDOWS\system32\ctfmon.exe[2316] WS2_32.dll!connect 71AB406A 5 Bytes JMP 003B0526
.text C:\WINDOWS\system32\ctfmon.exe[2316] WS2_32.dll!send 71AB428A 5 Bytes JMP 003B05D0
.text C:\WINDOWS\system32\ctfmon.exe[2316] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 003B0543
.text C:\Documents and Settings\HP_Owner\Desktop\9ntgokqx.exe[3492] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00390429
.text C:\Documents and Settings\HP_Owner\Desktop\9ntgokqx.exe[3492] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00390526
.text C:\Documents and Settings\HP_Owner\Desktop\9ntgokqx.exe[3492] WS2_32.dll!send 71AB428A 5 Bytes JMP 003905D0
.text C:\Documents and Settings\HP_Owner\Desktop\9ntgokqx.exe[3492] WS2_32.dll!WSAConnect 71AC0C69 5 Bytes JMP 00390543

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [928] 0x10000000
Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [980] 0x10000000
Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1124] 0x10000000
Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x10000000
Library \\?\globalroot\systemroot\system32\UACqlooqvpphe.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1400] 0x00BF0000
Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1700] 0x10000000
Library \\?\globalroot\systemroot\system32\UACidwqpppmpu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1996] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\UACbcjixvxorn.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\cru629.dat

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\AppEvent.Evt 524288 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\default 524288 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\default.LOG 1024 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\default.sav 94208 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SAM 24576 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SAM.LOG 1024 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SecEvent.Evt 524288 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SECURITY 49152 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SECURITY.LOG 1024 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\software 29085696 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\software.LOG 20480 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\software.sav 634880 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\SysEvent.Evt 524288 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\system 4980736 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\system.LOG 16384 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\system.sav 872448 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\systemprofile 0 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\TempKey.LOG 1024 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\userdiff 262144 bytes
File C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1011795814-1675600451-2574878161-1009\userdiff.LOG 1024 bytes

---- EOF - GMER 1.0.15 ----

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 17th September 2009, 4:30 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
UACd.sys

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACbcjixvxorn.sys

Folders to delete:
C:\Documents and Settings\All Users\Application Data\11684534

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 12:01 am

Thank you. Here is the log from Avenger:
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACbcjixvxorn.sys" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\11684534" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 12:26 am

Can you run Combofix now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 12:38 am

No.

I have downloaded it to my desktop and the icon is there, but it will not install or run. When I doble click the Combofix icon, I get an hour glass for a couple of seconds and that is it.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 12:41 am

Delete the copy of Combofix you have right now.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 1:05 am

ComboFix log:

ComboFix 09-09-17.04 - HP_Owner 09/17/2009 20:50.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.811 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Protection System
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\41.exe
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\UACbcjixvxorn.sys
c:\windows\system32\ludoyuja.dll
c:\windows\system32\merilaro.dll
c:\windows\system32\rumusipa.dll
c:\windows\system32\tufemivu.dll
c:\windows\system32\UACdlbuemxfml.dll
c:\windows\system32\UACidwqpppmpu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqlooqvpphe.dll
c:\windows\system32\UACqqkmfpaoil.dat
c:\windows\system32\UACstbvouqfvi.dll
c:\windows\system32\UACyfulndqxiw.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wingenocx.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wscsvc32.exe
c:\windows\system32\yonugese.exe
c:\windows\system32\yugutoyi.exe
D:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 12:49 . 2009-09-17 12:49 -------- d-----w- c:\program files\Trend Micro
2009-09-16 07:04 . 2009-09-16 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 05:43 . 2009-09-17 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-16 02:59 . 2009-09-16 02:59 49066 ----a-w- C:\psiefutv.exe
2009-09-16 02:59 . 2009-09-16 02:59 19968 ----a-w- C:\udtcnn.exe
2009-09-16 02:59 . 2009-09-16 02:59 79360 ----a-w- C:\wpfpqa.exe
2009-09-16 02:58 . 2009-09-16 02:58 49152 ----a-w- C:\scmhux.exe
2009-09-16 02:58 . 2009-09-16 02:58 73728 ----a-w- C:\xjehx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 13:43 . 2009-06-17 13:42 49664 --sha-w- c:\windows\system32\huholapu.dll
2009-09-17 03:52 . 2008-06-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 07:00 . 2009-04-18 02:39 -------- d-----w- c:\program files\mbytes
2009-09-12 02:22 . 2006-05-06 00:07 2138 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-09-11 23:33 . 2006-04-06 21:53 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2009-09-10 18:54 . 2009-04-18 02:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-04-18 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 13:18 . 2008-06-29 02:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:18 . 2008-06-29 02:48 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:18 . 2008-06-29 02:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-19 14:37 . 2006-05-21 20:26 7184 ----a-w- c:\documents and settings\HP_Owner\Application Data\ViewerApp.dat
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-04 11:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2005-11-03 09:09 . 2006-03-16 00:45 22 --sha-w- c:\windows\SMINST\HPCD.SYS
2009-06-17 13:43 . 2009-06-17 13:43 49664 --sha-w- c:\windows\system32\huhevita.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3da9463e-dda8-4344-a604-e03b4b0a2a95}]
2009-06-17 13:43 49664 --sha-w- c:\windows\system32\huhevita.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-29 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-30 108544]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-12-18 151552]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [3/22/2008 3:28 PM 19507]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2008 10:48 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2008 10:48 PM 108552]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [3/22/2008 3:28 PM 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [3/22/2008 3:28 PM 423454]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/6/2008 9:33 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/6/2008 9:33 AM 297752]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [3/22/2008 3:28 PM 64964]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/28/2008 9:49 PM 18560]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-11684534 - c:\documents and settings\All Users\Application Data\11684534\11684534.exe
HKLM-Run-rusarepuzo - rumusipa.dll
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-17 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-18 21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 01:02

Pre-Run: 98,609,971,200 bytes free
Post-Run: 100,542,132,224 bytes free

185 --- E O F --- 2009-09-11 02:51

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 8:14 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\psiefutv.exe
    C:\udtcnn.exe
    C:\wpfpqa.exe
    C:\scmhux.exe
    C:\xjehx.exe
    c:\windows\system32\huholapu.dll
    c:\windows\system32\huhevita.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3da9463e-dda8-4344-a604-e03b4b0a2a95}]
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 12:32 pm

Good morning, or evening whichever the case may be.

Here is the requested ComboFix log:

ComboFix 09-09-17.04 - HP_Owner 09/18/2009 8:18.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.590 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"C:\psiefutv.exe"
"C:\scmhux.exe"
"C:\udtcnn.exe"
"c:\windows\system32\huhevita.dll"
"c:\windows\system32\huholapu.dll"
"C:\wpfpqa.exe"
"C:\xjehx.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\psiefutv.exe
C:\scmhux.exe
C:\udtcnn.exe
c:\windows\system32\huhevita.dll
c:\windows\system32\huholapu.dll
C:\wpfpqa.exe
C:\xjehx.exe

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 12:49 . 2009-09-17 12:49 -------- d-----w- c:\program files\Trend Micro
2009-09-16 07:04 . 2009-09-16 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 05:43 . 2009-09-17 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 03:52 . 2008-06-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 07:00 . 2009-04-18 02:39 -------- d-----w- c:\program files\mbytes
2009-09-12 02:22 . 2006-05-06 00:07 2138 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-09-11 23:33 . 2006-04-06 21:53 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2009-09-10 18:54 . 2009-04-18 02:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-04-18 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 13:18 . 2008-06-29 02:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:18 . 2008-06-29 02:48 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:18 . 2008-06-29 02:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-19 14:37 . 2006-05-21 20:26 7184 ----a-w- c:\documents and settings\HP_Owner\Application Data\ViewerApp.dat
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-04 11:00 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2005-11-03 09:09 . 2006-03-16 00:45 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-29 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"rusarepuzo"="rumusipa.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-30 108544]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-12-18 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [3/22/2008 3:28 PM 19507]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2008 10:48 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2008 10:48 PM 108552]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [3/22/2008 3:28 PM 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [3/22/2008 3:28 PM 423454]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/6/2008 9:33 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/6/2008 9:33 AM 297752]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [3/22/2008 3:28 PM 64964]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/28/2008 9:49 PM 18560]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-18 08:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-18 8:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 12:28
ComboFix2.txt 2009-09-18 01:02

Pre-Run: 100,531,412,992 bytes free
Post-Run: 100,502,388,736 bytes free

152 --- E O F --- 2009-09-11 02:51

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 1:21 pm

Hello.
Nearly done now.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    proquota.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 1:31 pm

Thank you. SystemLook log as requested:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:28 on 18/09/2009 by HP_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --a--- 50176 bytes [21:47 18/08/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 1:34 pm

Hello.
There's a copy of the system file we need to replace, one more run with Combofix, then we can get rid of Combofix.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | c:\windows\system32\proquota.exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 1:54 pm

Thanks, Belazhur. Here is the requested ComboFix log:

ComboFix 09-09-17.04 - HP_Owner 09/18/2009 9:40.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.603 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-18 13:40 . 2009-09-18 13:40 -------- d-----w- c:\windows\LastGood
2009-09-18 13:40 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-18 13:40 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-17 12:49 . 2009-09-17 12:49 -------- d-----w- c:\program files\Trend Micro
2009-09-16 07:04 . 2009-09-16 07:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 05:43 . 2009-09-17 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 03:52 . 2008-06-29 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 07:00 . 2009-04-18 02:39 -------- d-----w- c:\program files\mbytes
2009-09-12 02:22 . 2006-05-06 00:07 2138 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2009-09-11 23:33 . 2006-04-06 21:53 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2009-09-10 18:54 . 2009-04-18 02:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-04-18 02:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 13:18 . 2008-06-29 02:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:18 . 2008-06-29 02:48 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:18 . 2008-06-29 02:48 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-19 14:37 . 2006-05-21 20:26 7184 ----a-w- c:\documents and settings\HP_Owner\Application Data\ViewerApp.dat
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-04 11:00 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2005-11-03 09:09 . 2006-03-16 00:45 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 13:40 . 2008-04-14 00:12 50176 c:\windows\LastGood\system32\proquota.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-29 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"rusarepuzo"="rumusipa.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-30 108544]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-12-18 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [3/22/2008 3:28 PM 19507]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2008 10:48 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2008 10:48 PM 108552]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [3/22/2008 3:28 PM 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [3/22/2008 3:28 PM 423454]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/6/2008 9:33 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/6/2008 9:33 AM 297752]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [3/22/2008 3:28 PM 64964]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/28/2008 9:49 PM 18560]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-18 09:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-18 9:48
ComboFix-quarantined-files.txt 2009-09-18 13:48
ComboFix2.txt 2009-09-18 12:28
ComboFix3.txt 2009-09-18 01:02

Pre-Run: 100,504,383,488 bytes free
Post-Run: 100,496,527,360 bytes free

131 --- E O F --- 2009-09-11 02:51

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 1:55 pm

Have to leave for work. I will be back to continue at 5:00pm EST. I hope you will be online later this evening. Thanks !

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 18th September 2009, 1:57 pm

Hello.
One more log I want to check, then were done. Smile

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

I'll be on later for sure, Friday evening, too tired to do anything. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 10:17 pm

Thanks for your patience with the multiple steps you have dealt with on this case. Here is the requested HJT "uninstall list":

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
Audacity 1.2.6
AVG Free 8.5
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Holidays from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
Canon MP Drivers 6.0
Canon MP Navigator 1.0
Canon ScanGear Starter
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Crystal Maze from Hewlett-Packard Desktops (remove only)
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Easy Internet Sign-up
Final Drive Nitro from Hewlett-Packard Desktops (remove only)
First Step Guide
Garmin City Navigator North America NT 2010.10 Update
Garmin USB Drivers
Garmin WebUpdater
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Help and Support Additions
HGPeC
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Boot Optimizer
HP Deskjet Printer Preload
HP Image Zone 4.8.6
HP Image Zone Plus 4.8.6
HP Organize
HP Photosmart Cameras 4.5
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
ImageMixer EasyStepDVD
Intel(R) Graphics Media Accelerator Driver
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
LeapFrog Connect
LeapFrog Connect
LeapFrog Tag Plugin
Lexibox Deluxe from Hewlett-Packard Desktops (remove only)
LimeWire 4.18.8
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Professional Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mp3 Tag Tools v1.2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0
neroxml
Overball from Hewlett-Packard Desktops (remove only)
PC-Doctor for Windows
Phoenix Assault from Hewlett-Packard Desktops (remove only)
Photosmart 320,370,7400,8100,8400 Series
Picture Package
PodUtil 2.7.1
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shooting Stars Pool from Hewlett-Packard Desktops (remove only)
Slyder from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony DVD Handycam USB Driver 2
Super Granny from Hewlett-Packard Desktops (remove only)
Tradewinds from Hewlett-Packard Desktops (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Updates from HP
VCRedistSetup
WebEx
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 18th September 2009, 10:43 pm

In case you need to know, I have a red shield with an X on it in the lower right corner of my screen (next to the clock). When I hover my cursor over it, it says "Windows Security Alerts". Is this the real Windows talking to me, or is it a product of the malware ? Thanks.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 19th September 2009, 6:22 pm

Hello.
It's real, it's only because we had AVG disabled for the Combofix. Re-enable AVG and the alert goes away.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0
    LimeWire 4.18.8

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 19th September 2009, 8:49 pm

I have not been using this machine except for communicating with you and following your instructions to remove the malware. I will let you know if there are any further issues.

I have taken your advice and removed the two programs per your suggestion. I do not even know what the J2SE Runtime Environment 5.0 was for. When removing Limewire, I noticed that it had not even been used since November 2008, so I will not miss it at all.

Do you have a hypothesis as to how I got this malware ? I remember I was online at what should have been a "non-risky" website, when I heard my HDD going crazy. I know, for certain, that I did not click on any suspicious link. Could this infection have occurred through some scripting that did not require any action from me in order to execute ?

Do you have any recommended steps I can take to give my system additional protection ?

Please accept my most sincere thanks for the attention you have given to me and this issue with my computer. Your courtesy and professionalism have been beyond compare.

As soon as I post this reply, the first website I will visit is the Geek Police donation page. I do not have a lot of money to spare, but I certainly wish to make at least a small contribution as a sign of my appreciation.

Thank you and best wishes.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 19th September 2009, 9:59 pm

Followup post:

Out of curiousity, I ran MBAM again a few minutes ago. It found four more items, which I allowed it to fix.

I have not re-started my computer after this scan because when I was initially infected on Thu 17 Sep 2009 I ran MBAM and allowed it to fix things, but my computer developed serious problems upon re-start.

The log for my initial MBAM scan was included on my first Geek Police posting on Thu 17 Sep 2009 12:06 pm.

The log for the MBAM scan I just completed is here:

Malwarebytes' Anti-Malware 1.41
Database version: 2825
Windows 5.1.2600 Service Pack 2

9/19/2009 5:45:01 PM
mbam-log-2009-09-19 (17-45-01).txt

Scan type: Quick Scan
Objects scanned: 91643
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rusarepuzo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tftp.msc (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Belahzur on 20th September 2009, 2:10 am

Hello.
Nothing serious in that log. One leftover run value, one modified value, one harmless file and one false positive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Fake Windows Security Center Infection - Big Mess !

Post by Resto on 20th September 2009, 3:46 am

Great news. Thanks again.

Resto
Intermediate
Intermediate

Posts Posts : 63
Joined Joined : 2009-09-17
OS OS : Windows 7 64 bit
Points Points : 27071
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum