win32:fakealert-fc

View previous topic View next topic Go down

win32:fakealert-fc

Post by shifty77 on 11th December 2009, 10:08 pm

hi all
My avast! Home Edition is alerting me to the presence of Win32:FakeAlert-FC [Trj]. It finds this in C:\Windows\Temp\xxxx.tmp\svchost.exe (where xxxx is a random alphabetical string). I can delete/quarantine the file, but new xxx.tmps are generated every so many minutes.
i dl Malwarebytes' Anti-Malware and ran it and found 4 infected files Made sure that everything was checked, and click´d Remove Selected and teh restarted computer
this is the log from mbam-log
Malwarebytes' Anti-Malware 1.42
Database version: 3346
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/11/2009 5:53:40 PM
mbam-log-2009-12-11 (17-53-40).txt

Scan type: Quick Scan
Objects scanned: 93685
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> Quarantined and deleted successfully.


and now when i run mbam it does not find anything but the message from avast keeps popping up
hope i can get help
thanks from kristjan

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by Belahzur on 11th December 2009, 10:43 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 11th December 2009, 10:55 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by krissi at 22:50:02.50 on Fri 12/11/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\krissi\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_6_0_1.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_6_0_1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TkBellExe] "c:\program files\k-lite codec pack\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:\windows\system32\sti_ci.dll,WiaCreateWizardMenu
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?745b90a1a6e04762926450c30aaa9d81
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?745b90a1a6e04762926450c30aaa9d81
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\krissi\applic~1\mozilla\firefox\profiles\lce5cyzc.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\krissi\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-9 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-9 138680]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-13 54752]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-9 352920]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-11 38224]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-12 234888]
S2 gupdate1ca094a890c6040;Google Update Service (gupdate1ca094a890c6040);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S2 ynfcuj;ynfcuj;\??\c:\windows\system32\drivers\cmxuhvl.sys --> c:\windows\system32\drivers\cmxuhvl.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2009-12-12 04:21:11 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-12-12 04:21:11 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-12-12 04:21:10 0 d-----w- c:\program files\True Sword 5
2009-12-12 03:44:17 0 d-----w- c:\program files\Win32.Trojan.Delf Removal Tool
2009-12-12 01:48:42 0 d-----w- c:\docume~1\krissi\applic~1\Malwarebytes
2009-12-12 01:48:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 01:48:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 01:48:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 01:48:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-18 05:13:48 0 d-----w- C:\rjúpa

==================== Find3M ====================

2009-12-12 06:39:16 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 07:12:35 18527244 ----a-w- c:\docume~1\alluse~1\applic~1\vlc-1.0.2-win32.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-07-22 01:58:51 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 22:50:21.68 ===============

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 11th December 2009, 10:56 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/9/2009 1:06:51 PM
System Uptime: 12/11/2009 6:56:56 PM (4 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P31-DS3L
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | Socket 775 | 2666/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 43.678 GiB free.
D: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

50 FREE MP3s +1 Free Audiobook!
AAC Decoder
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Ask Toolbar
AutoUpdate
avast! Antivirus
Connect
Critical Update for Windows Media Player 11 (KB959772)
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Form Fill (Windows Live Toolbar)
Google Chrome
Google Update Helper
H.264 Decoder
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Junk Mail filter update
K-Lite Mega Codec Pack 4.7.5
kuler
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
McAfee Security Scan
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MKV Splitter
Mozilla Firefox (3.5.5)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
PDF Settings CS4
Photoshop Camera Raw
Popup Blocker (Windows Live Toolbar)
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype™ 4.1
Smart Menus (Windows Live Toolbar)
Suite Shared Configuration CS4
Tabbed Browsing (Windows Live Toolbar)
Trojan Remover 6.8.1
True Sword 5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.2
WebFldrs XP
Winamp
Winamp Toolbar
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! BrowserPlus
Yahoo! Companion
Yahoo! Install Manager
Yahoo! Widgets

==== Event Viewer Messages From Past Week ========

12/8/2009 6:59:40 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
12/8/2009 6:59:40 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
12/11/2009 5:55:19 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by Belahzur on 12th December 2009, 12:51 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 12th December 2009, 1:25 am

ComboFix 09-12-11.01 - krissi 12/12/2009 1:14.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT -8:00]
Running from: c:\documents and settings\krissi\My Documents\Downloads\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\OPTIONS\CABS\_desktop.ini

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-12 04:21 . 2009-04-17 04:11 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-12-12 04:21 . 2009-04-17 00:36 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-12-12 04:21 . 2009-12-12 05:02 -------- d-----w- c:\program files\True Sword 5
2009-12-12 03:44 . 2009-12-12 04:17 -------- d-----w- c:\program files\Win32.Trojan.Delf Removal Tool
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\krissi\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 05:17 . 2009-12-11 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-12-11 01:20 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\vvi98.exe
2009-11-22 08:34 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\pru681.exe
2009-11-18 05:13 . 2009-11-18 05:14 -------- d-----w- C:\rjúpa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 09:12 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\Skype
2009-12-12 08:07 . 2009-07-22 07:28 -------- d-----w- c:\documents and settings\krissi\Application Data\skypePM
2009-12-12 06:39 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-12 05:54 . 2009-07-12 10:20 -------- d-----w- c:\program files\uTorrent
2009-12-12 05:54 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\uTorrent
2009-12-11 02:50 . 2009-07-22 07:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-07 09:18 . 2009-10-30 07:12 -------- d-----w- c:\documents and settings\krissi\Application Data\dvdcss
2009-11-29 05:36 . 2009-07-09 12:13 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-24 23:54 . 2009-07-09 12:59 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-07-09 12:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-07-09 12:59 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-07-09 12:59 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-07-09 12:59 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-07-09 12:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-07-09 12:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-07-09 12:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-07-09 12:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-22 08:33 . 2009-10-10 21:42 -------- d-----w- c:\program files\Trojan Remover
2009-11-05 22:55 . 2009-11-05 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-29 05:38 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 04:38 . 2009-08-13 22:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:37 . 2009-07-22 01:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-21 22:59 . 2009-10-10 21:26 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\jpr6B.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/9/2009 4:59 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/9/2009 4:59 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/13/2009 2:30 AM 54752]
S2 gupdate1ca094a890c6040;Google Update Service (gupdate1ca094a890c6040);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 6:58 AM 133104]
S2 ynfcuj;ynfcuj;\??\c:\windows\system32\drivers\cmxuhvl.sys --> c:\windows\system32\drivers\cmxuhvl.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?745b90a1a6e04762926450c30aaa9d81
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?745b90a1a6e04762926450c30aaa9d81
FF - ProfilePath - c:\documents and settings\krissi\Application Data\Mozilla\Firefox\Profiles\lce5cyzc.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\krissi\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-12 01:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC0A64C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba630bb0
PacketIndicateHandler -> NDIS.sys @ 0xba63da21
SendHandler -> NDIS.sys @ 0xba61b87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-12-12 01:18:25
ComboFix-quarantined-files.txt 2009-12-12 09:18

Pre-Run: 46,786,072,576 bytes free
Post-Run: 47,097,765,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - E6AA79A1184819EBC61A0B0FCE334366

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by Belahzur on 12th December 2009, 1:33 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DirLook::
    C:\rjúpa

    Driver::
    ynfcuj

    DDS::
    uStart Page = [You must be registered and logged in to see this link.]
    uSearchURL,(Default) = [You must be registered and logged in to see this link.]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 12th December 2009, 2:10 am

ComboFix 09-12-11.01 - krissi 12/12/2009 1:56.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1628 [GMT -8:00]
Running from: c:\documents and settings\krissi\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\krissi\My Documents\Downloads\cfscript.txt
AV: avast! antivirus 4.8.1368 [VPS 091211-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YNFCUJ
-------\Service_ynfcuj


((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-12 04:21 . 2009-04-17 04:11 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-12-12 04:21 . 2009-04-17 00:36 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-12-12 04:21 . 2009-12-12 05:02 -------- d-----w- c:\program files\True Sword 5
2009-12-12 03:44 . 2009-12-12 04:17 -------- d-----w- c:\program files\Win32.Trojan.Delf Removal Tool
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\krissi\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 01:48 . 2009-12-12 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 01:48 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 05:17 . 2009-12-11 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-12-11 01:20 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\vvi98.exe
2009-11-22 08:34 . 2009-10-18 04:27 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\pru681.exe
2009-11-18 05:13 . 2009-11-18 05:14 -------- d-----w- C:\rjúpa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 10:01 . 2009-07-22 07:28 -------- d-----w- c:\documents and settings\krissi\Application Data\skypePM
2009-12-12 10:01 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\Skype
2009-12-12 06:39 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-12 05:54 . 2009-07-12 10:20 -------- d-----w- c:\program files\uTorrent
2009-12-12 05:54 . 2009-07-22 02:06 -------- d-----w- c:\documents and settings\krissi\Application Data\uTorrent
2009-12-11 02:50 . 2009-07-22 07:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-07 09:18 . 2009-10-30 07:12 -------- d-----w- c:\documents and settings\krissi\Application Data\dvdcss
2009-11-29 05:36 . 2009-07-09 12:13 8 ----a-w- c:\windows\system32\nvModes.dat
2009-11-24 23:54 . 2009-07-09 12:59 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-07-09 12:59 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-07-09 12:59 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-07-09 12:59 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-07-09 12:59 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-07-09 12:59 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-07-09 12:59 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-07-09 12:59 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-07-09 12:59 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-22 08:33 . 2009-10-10 21:42 -------- d-----w- c:\program files\Trojan Remover
2009-11-05 22:55 . 2009-11-05 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-05 22:46 . 2009-11-05 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-29 05:38 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-25 07:12 . 2009-10-25 07:09 18527244 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.2-win32.exe
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 04:38 . 2009-08-13 22:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-25 05:37 . 2009-07-22 01:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-21 22:59 . 2009-10-10 21:26 3101560 ----a-w- c:\documents and settings\krissi\Application Data\Simply Super Software\Trojan Remover\jpr6B.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\rjúpa ----

2009-11-18 05:14 . 2009-11-18 05:15 26624 --sha-w- c:\rjúpa\Thumbs.db
2009-11-15 20:03 . 2009-11-18 05:13 597161 ----a-w- c:\rjúpa\rjúpa 008.jpg
2009-11-15 20:02 . 2009-11-18 05:13 585427 ----a-w- c:\rjúpa\rjúpa 007.jpg
2009-11-14 21:27 . 2009-11-18 05:13 1146526 ----a-w- c:\rjúpa\rjúpa 006.jpg
2009-11-14 21:26 . 2009-11-18 05:13 961713 ----a-w- c:\rjúpa\rjúpa 005.jpg
2009-11-14 21:26 . 2009-11-18 05:13 1313410 ----a-w- c:\rjúpa\rjúpa 004.jpg
2009-11-14 07:18 . 2009-11-18 05:13 972198 ----a-w- c:\rjúpa\rjúpa 003.jpg
2009-11-14 07:18 . 2009-11-18 05:13 1059424 ----a-w- c:\rjúpa\rjúpa 002.jpg
2009-11-14 07:16 . 2009-11-18 05:13 1087563 ----a-w- c:\rjúpa\rjúpa 001.jpg


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-12 10:01 . 2009-12-12 10:01 16384 c:\windows\Temp\Perflib_Perfdata_5e0.dat
+ 2009-12-12 09:55 . 2009-12-12 09:55 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 136704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/9/2009 4:59 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/9/2009 4:59 AM 20560]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [7/13/2009 2:30 AM 54752]
S2 gupdate1ca094a890c6040;Google Update Service (gupdate1ca094a890c6040);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 6:58 AM 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?745b90a1a6e04762926450c30aaa9d81
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?745b90a1a6e04762926450c30aaa9d81
FF - ProfilePath - c:\documents and settings\krissi\Application Data\Mozilla\Firefox\Profiles\lce5cyzc.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\krissi\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-12 02:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBAC1264C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba630bb0
PacketIndicateHandler -> NDIS.sys @ 0xba63da21
SendHandler -> NDIS.sys @ 0xba61b87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-12-12 02:03:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-12 10:03
ComboFix2.txt 2009-12-12 09:18

Pre-Run: 47,095,898,112 bytes free
Post-Run: 47,000,252,416 bytes free

- - End Of File - - CA4D0FB9D0202FA692329065D7105FC4

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by Belahzur on 12th December 2009, 8:56 pm

Hello.
Please post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 12th December 2009, 10:13 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:23 PM, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\krissi\My Documents\Downloads\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Open in new background tab - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?745b90a1a6e04762926450c30aaa9d81
O8 - Extra context menu item: Open in new foreground tab - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?745b90a1a6e04762926450c30aaa9d81
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca094a890c6040) (gupdate1ca094a890c6040) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5533 bytes

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by Belahzur on 13th December 2009, 1:46 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32:fakealert-fc

Post by shifty77 on 13th December 2009, 2:51 am

looks like every thing is good thanks for saving my computer

shifty77
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-12-11
OS OS : xp
Points Points : 25668
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum