Fake System Security virus

View previous topic View next topic Go down

Fake System Security virus

Post by xmchrismx on 16th February 2010, 1:35 am

I'm not quite sure how I got it, but thats neither here nor there, basically I can't open anything at all (in normal mode) in safe mode I dled SAS, Cccleaner, ATL, and Malware bytes antimalware, and those didn't solve the problem, so without further adeu heres my logs from hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:28 PM, on 2/15/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Trillian\trillian.exe
C:\Users\Chris\Software\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O2 - BHO: EGISCAWEB - {CC4C1BCF-FE58-4372-9176-D9CF3D1B6D5B} - C:\Program Files\Egisca Toolbar\EgiscaToolbar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {18C388BB-5014-4906-AE38-E62BA5AA7387} - (no file)
O3 - Toolbar: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O3 - Toolbar: Egisca Toolbar - {C1E68079-1B2C-41D7-A3C2-BE82E570251E} - C:\Program Files\Egisca Toolbar\EgiscaToolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [SNUVCDSM] C:\Windows\snuvcdsm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [sabyqnpv] C:\Users\Chris\AppData\Local\ppbblx\amtysftav.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E80571E-38C2-4671-8FAD-C55746E4A3FE}: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CCS\Services\Tcpip\..\{955C0F16-A8AF-4A91-BA7B-E070D36F2FC0}: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7675 bytes

xmchrismx
Novice
Novice

Posts Posts : 14
Joined Joined : 2010-02-16
OS OS : windows 7
Points Points : 25019
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake System Security virus

Post by xmchrismx on 16th February 2010, 4:31 am

acutally I just realized that I did that via safe mode, I'm not sure if it matters, but I did this again booting regularly, I barly had enough time to save it before it crashed my comp for running that program, here it is again in normal boot mode.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:20 PM, on 2/15/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\snuvcdsm.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Chris\AppData\Local\ppbblx\amtysftav.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Users\Chris\Desktop\winlogon.scr
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Users\Chris\AppData\Local\Yahoo\Widget Engine\Unzipped\SimpleMonitor.widget\SimpleMonitor-1.0.5.widget\Contents\resources\exe\SimpleMonitor.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O2 - BHO: EGISCAWEB - {CC4C1BCF-FE58-4372-9176-D9CF3D1B6D5B} - C:\Program Files\Egisca Toolbar\EgiscaToolbar.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {18C388BB-5014-4906-AE38-E62BA5AA7387} - (no file)
O3 - Toolbar: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\oovoodx.dll
O3 - Toolbar: Egisca Toolbar - {C1E68079-1B2C-41D7-A3C2-BE82E570251E} - C:\Program Files\Egisca Toolbar\EgiscaToolbar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [SNUVCDSM] C:\Windows\snuvcdsm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [sabyqnpv] C:\Users\Chris\AppData\Local\ppbblx\amtysftav.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E80571E-38C2-4671-8FAD-C55746E4A3FE}: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CCS\Services\Tcpip\..\{955C0F16-A8AF-4A91-BA7B-E070D36F2FC0}: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.88,93.188.161.39
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8424 bytes

xmchrismx
Novice
Novice

Posts Posts : 14
Joined Joined : 2010-02-16
OS OS : windows 7
Points Points : 25019
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake System Security virus

Post by Dr Jay on 16th February 2010, 3:04 pm

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake System Security virus

Post by xmchrismx on 16th February 2010, 4:22 pm

once again I did this in safe mode I hope thats ok, but here's the logs



ComboFix 10-02-12.01 - Chris 02/16/2010 10:50:33.1.2 - x86 NETWORK
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1687 [GMT -5:00]
Running from: c:\users\Chris\Software\ComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-467562527-1896384194-1313823302-500
c:\users\Chris\AppData\Local\ppbblx
c:\users\Chris\AppData\Local\ppbblx\amtysftav.exe
c:\users\Chris\AppData\Roaming\inst.exe
c:\windows\system32\SIntf16.dll
c:\windows\system32\wbem\Performance\WmiApRpl_new.h
D:\install.exe
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
.

2010-02-16 15:40 . 2010-02-16 15:48 -------- d-----w- C:\32788R22FWJFW
2010-02-15 21:54 . 2010-02-15 21:54 52224 ----a-w- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 21:54 . 2010-02-15 21:54 117760 ----a-w- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 21:48 . 2010-02-15 21:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-15 21:48 . 2010-02-15 21:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-15 21:48 . 2010-02-15 21:48 -------- d-----w- c:\users\Chris\AppData\Roaming\SUPERAntiSpyware.com
2010-02-15 21:42 . 2010-02-15 21:43 -------- d-----w- C:\DBGO
2010-02-15 20:36 . 2010-02-15 20:36 -------- d-----w- c:\users\Chris\AppData\Local\Adobe
2010-02-15 18:35 . 2010-02-15 18:35 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2010-02-15 18:35 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 18:35 . 2010-02-15 18:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 18:35 . 2010-02-15 18:35 -------- d-----w- c:\programdata\Malwarebytes
2010-02-15 18:35 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 18:21 . 2010-02-15 18:21 191062 ----a-w- C:\Remove Fake Antivirus.exe
2010-02-15 17:48 . 2010-02-15 17:48 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-14 08:03 . 2010-02-14 08:03 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-14 07:37 . 2010-02-14 07:47 -------- d-----w- C:\Taking.Woodstock.DVDRip.XviD-DiAMOND
2010-02-14 07:30 . 2010-02-14 07:36 -------- d-----w- C:\Cloudy.with.a.Chance.of.Meatballs.DVDRip.XviD-DoNE
2010-02-13 08:07 . 2010-02-15 18:03 -------- d-----w- c:\program files\GameShadow
2010-02-13 02:28 . 2010-02-13 02:35 -------- d-----w- C:\Inglourious Basterds 2009 DVDRip XviD-MegaPlay
2010-02-11 21:01 . 2010-02-11 22:48 -------- d-----w- C:\I.Hope.They.Serve.Beer.in.Hell.2009.UNRATED.LIMITED.DVDRip.XviD-AMIABLE.[[You must be registered and logged in to see this link.]
2010-01-30 20:08 . 2009-09-18 17:28 421888 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-01-27 01:12 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 01:12 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-23 02:22 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 15:32 . 2007-06-15 01:57 -------- d-----w- c:\users\Chris\AppData\Roaming\uTorrent
2010-02-16 04:58 . 2009-12-21 19:43 -------- d-----w- c:\program files\Trillian
2010-02-15 20:37 . 2007-10-09 20:05 -------- d-----w- c:\programdata\SecTaskMan
2010-02-15 20:37 . 2007-10-09 20:05 -------- d-----w- c:\program files\Security Task Manager
2010-02-15 20:34 . 2007-07-05 07:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-14 08:10 . 2007-11-06 00:29 -------- d-----w- c:\program files\iTunes
2010-02-14 08:09 . 2007-05-31 15:41 -------- d-----w- c:\program files\iPod
2010-02-14 08:09 . 2007-08-16 01:35 -------- d-----w- c:\program files\Common Files\Apple
2010-02-13 07:54 . 2007-09-06 21:08 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-13 07:40 . 2006-12-29 12:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 21:31 . 2009-03-22 17:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 19:12 . 2009-10-03 06:45 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 08:06 . 2006-12-29 13:02 -------- d-----w- c:\programdata\Microsoft Help
2010-01-08 04:22 . 2009-11-17 06:13 225448 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-07 04:26 . 2010-01-07 04:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-01-06 20:08 . 2010-01-08 20:44 57856 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 20:08 . 2010-01-08 20:44 545280 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 20:08 . 2010-01-08 20:44 4726272 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 20:08 . 2010-01-08 20:44 4725760 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 20:08 . 2010-01-08 20:44 344064 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 20:08 . 2010-01-08 20:44 153600 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-06 20:08 . 2010-01-08 20:44 103424 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-03 18:01 . 2010-01-03 18:01 -------- d-----w- c:\program files\Elaborate Bytes
2009-12-29 08:11 . 2008-12-13 19:54 -------- d-----w- c:\program files\Bethesda Softworks
2009-12-25 09:52 . 2008-01-23 06:35 -------- d-----w- c:\users\Chris\AppData\Roaming\Skype
2009-12-25 09:19 . 2008-01-23 06:36 -------- d-----w- c:\users\Chris\AppData\Roaming\skypePM
2009-12-21 20:14 . 2009-12-21 19:44 -------- d-----w- c:\users\Chris\AppData\Roaming\Trillian
2009-12-21 19:50 . 2008-08-04 07:50 -------- d-----w- c:\program files\Yahoo!
2009-12-21 19:41 . 2009-12-21 19:41 409088 ----a-w- c:\windows\system32\systemcpl.dll
2009-12-21 19:41 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2009-12-21 19:36 . 2009-12-21 19:36 -------- d-----w- c:\users\Chris\AppData\Roaming\Stardock
2009-12-21 19:36 . 2009-12-21 19:35 -------- dc-h--w- c:\programdata\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2009-12-21 19:35 . 2008-06-07 01:08 -------- d-----w- c:\program files\Stardock
2009-12-21 18:56 . 2009-12-21 18:56 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-21 18:56 . 2009-12-21 18:56 247296 ----a-w- c:\users\Chris\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_d_ind.dll
2009-12-21 18:56 . 2009-12-21 18:56 247296 ----a-w- c:\users\Chris\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_c_ind.dll
2009-12-21 18:56 . 2009-12-21 18:56 247296 ----a-w- c:\users\Chris\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_b_ind.dll
2009-12-21 18:56 . 2009-12-21 18:56 247296 ----a-w- c:\users\Chris\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_a_ind.dll
2009-12-21 18:56 . 2009-12-21 18:56 -------- d-----w- c:\users\Chris\AppData\Roaming\SystemRequirementsLab
2009-12-21 18:54 . 2009-12-21 18:54 133824 ----a-w- c:\users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-21 18:52 . 2007-07-04 23:17 -------- d-----w- c:\programdata\NVIDIA
2009-12-21 18:02 . 2009-12-21 12:12 -------- d-----w- c:\program files\CONEXANT
2009-12-21 13:13 . 2009-12-21 13:13 21924 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-21 12:55 . 2008-08-21 01:30 -------- d-----w- c:\users\Chris\AppData\Roaming\mIRC
2009-12-21 12:35 . 2009-10-18 04:53 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-21 12:35 . 2009-04-20 17:02 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-12-21 12:35 . 2009-03-12 05:53 -------- d-----w- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-12-21 12:35 . 2009-02-16 11:00 -------- d-----w- c:\programdata\WindowsSearch
2009-12-21 12:35 . 2008-08-04 07:52 -------- d-----w- c:\programdata\Yahoo!
2009-12-21 12:35 . 2007-11-01 08:50 -------- d-----w- c:\programdata\Yahoo! Companion
2009-12-21 12:35 . 2006-12-29 13:13 -------- d-----w- c:\programdata\WildTangent
2009-12-21 12:35 . 2006-12-29 13:05 -------- d-----w- c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
2009-12-21 12:35 . 2007-05-31 16:18 -------- d-----w- c:\programdata\Viewpoint
2009-12-21 12:35 . 2008-01-23 06:34 -------- d-----w- c:\programdata\Skype
2009-12-21 12:35 . 2007-07-12 19:30 -------- d-----w- c:\programdata\Trymedia
2009-12-21 12:35 . 2006-12-29 12:48 -------- d-----w- c:\programdata\Symantec
2009-12-21 12:35 . 2006-12-29 12:44 -------- d-----w- c:\programdata\Sonic
2009-12-21 12:33 . 2009-07-29 19:19 -------- d-----w- c:\program files\Yahoo! Games
2009-12-21 12:32 . 2006-12-29 12:59 -------- d-----w- c:\program files\Microsoft Works
2009-12-21 12:32 . 2007-07-08 07:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-21 12:32 . 2009-08-11 16:48 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-12-21 12:32 . 2009-12-18 01:34 -------- d-----w- c:\program files\LogMeIn Hamachi
2009-12-21 12:32 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2009-12-21 12:32 . 2007-07-09 02:24 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-21 12:32 . 2007-08-25 21:26 -------- d-----w- c:\program files\Lexmark Toolbar
2009-12-21 12:32 . 2007-08-25 21:25 -------- d-----w- c:\program files\Lexmark 2500 Series
2009-12-21 12:31 . 2008-05-19 02:34 -------- d-----w- c:\program files\Last.fm
2009-12-21 12:31 . 2006-12-29 13:34 -------- d-----w- c:\program files\Java
2009-12-21 12:31 . 2007-09-03 04:41 -------- d-----w- c:\program files\InterActual
2009-12-21 12:31 . 2006-12-29 13:24 -------- d-----w- c:\program files\HPQ
2009-12-21 12:31 . 2006-12-29 13:08 -------- d-----w- c:\program files\HP Games
2009-12-21 12:26 . 2006-12-29 13:16 -------- d-----w- c:\program files\HP Connections
2009-12-21 12:26 . 2006-12-29 13:06 -------- d-----w- c:\program files\HP
2009-12-21 12:25 . 2006-12-29 12:35 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-21 12:21 . 2006-12-29 13:34 -------- d-----w- c:\program files\Common Files\Java
2009-12-21 12:21 . 2006-12-29 13:24 -------- d-----w- c:\program files\Common Files\LightScribe
2009-12-21 12:21 . 2006-12-29 12:38 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-21 12:21 . 2009-09-01 07:13 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-21 12:21 . 2008-02-22 00:46 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-21 12:21 . 2007-08-21 23:31 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-12-21 12:21 . 2008-02-29 20:29 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 12:21 . 2007-11-05 06:18 -------- d-----w- c:\program files\Common Files\AOL
2009-12-21 12:21 . 2009-05-18 22:25 -------- d-----w- c:\program files\Cave Story Deluxe
2009-12-21 12:21 . 2007-07-18 07:00 -------- d-----w- c:\program files\CCleaner
2009-12-21 12:13 . 2009-12-21 12:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-12-21 12:13 . 2009-12-21 12:13 -------- d-----w- c:\program files\Synaptics
2009-12-21 09:57 . 2007-08-21 19:33 -------- d-----w- c:\programdata\Media Center Programs
2009-12-18 22:02 . 2008-05-23 23:54 130443 ----a-w- c:\windows\War3Unin.dat
2009-12-16 22:42 . 2009-12-22 22:11 872960 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 22:42 . 2009-12-22 22:11 43008 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 22:42 . 2009-12-22 22:11 340480 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 22:41 . 2009-12-22 22:11 346624 ----a-w- c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-01 02:02 . 2009-12-01 02:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 02:02 . 2009-12-01 02:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-29 03:54 . 2009-12-21 19:41 1197056 ----a-w- C:\RemoveWAT.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2007-07-26 00:43 . 2007-07-26 00:38 56 --sha-r- c:\windows\System32\536EC9E2BC.sys
2007-07-26 00:43 . 2007-07-26 00:38 4182 --sha-w- c:\windows\System32\KGyGaAvL.sys
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
2009-07-14 01:14 . 2009-07-14 00:09 164864 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7600.16385_none_0b401942b06d4f06\wmplayer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1FB2F9A-D35E-11DD-8935-E46A56D89593}]
2009-05-08 19:00 86016 ----a-w- c:\program files\oovootb\oovoodx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC4C1BCF-FE58-4372-9176-D9CF3D1B6D5B}]
2008-03-20 21:42 2367488 ----a-w- c:\program files\Egisca Toolbar\EgiscaToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A1FB2F9A-D35E-11DD-8935-E46A56D89593}"= "c:\program files\oovootb\oovoodx.dll" [2009-05-08 86016]
"{C1E68079-1B2C-41D7-A3C2-BE82E570251E}"= "c:\program files\Egisca Toolbar\EgiscaToolbar.dll" [2008-03-20 2367488]

[HKEY_CLASSES_ROOT\clsid\{a1fb2f9a-d35e-11dd-8935-e46a56d89593}]

[HKEY_CLASSES_ROOT\clsid\{c1e68079-1b2c-41d7-a3c2-be82e570251e}]
[HKEY_CLASSES_ROOT\EGISCAWEB.EGISCAWEB.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\EGISCAWEB.EGISCAWEB]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C1E68079-1B2C-41D7-A3C2-BE82E570251E}"= "c:\program files\Egisca Toolbar\EgiscaToolbar.dll" [2008-03-20 2367488]

[HKEY_CLASSES_ROOT\clsid\{c1e68079-1b2c-41d7-a3c2-be82e570251e}]
[HKEY_CLASSES_ROOT\EGISCAWEB.EGISCAWEB.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\EGISCAWEB.EGISCAWEB]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-14 289584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-08-10 27184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk]
backup=c:\windows\pss\HP Connections.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKLM\~\startupfolder\C:^Users^Chris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^hamachi.lnk]
backup=c:\windows\pss\hamachi.lnk.Startup
backupExtension=.Startup
path=c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hamachi.lnk

[HKLM\~\startupfolder\C:^Users^Chris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
backup=c:\windows\pss\Stardock ObjectDock.lnk.Startup
backupExtension=.Startup
path=c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2004-02-04 20:29 61440 ----a-w- c:\users\Chris\Desktop\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-10 09:02 216520 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
2008-01-16 03:43 144896 ----a-w- c:\users\Chris\Desktop\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-06-16 15:03 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2006-10-18 17:32 472800 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-21 09:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-03-21 09:34 213936 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-03-21 09:34 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
2007-06-12 02:27 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2004-10-06 22:50 139320 ----a-w- c:\program files\Network Associates\Common Framework\UpdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
2004-02-19 20:07 147514 ----a-w- c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-06 19:52 13605408 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-06 19:52 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2009-03-06 19:52 735776 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
2009-09-03 02:00 17385144 ----a-w- c:\program files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2006-11-06 18:58 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-11-24 23:33 167936 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2008-08-02 03:10 675840 ----a-w- c:\windows\vsnp2uvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-29 13:35 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 10:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-07 18:46 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-14 12:25 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2006-10-18 17:56 317152 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [10/6/2009 1:24 PM 6000640]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [7/16/2007 2:40 AM 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
S1 SASKUTIL;SASKUTIL;c:\users\Chris\Software\SASKUTIL.SYS [1/5/2010 10:56 AM 74480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 3:27 PM 1074568]
S4 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxddserv.exe [5/25/2007 11:41 AM 99248]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/5/2007 1:20 AM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-02-09 c:\windows\Tasks\HPCeeScheduleForChris.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2006-12-29 00:08]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {2E80571E-38C2-4671-8FAD-C55746E4A3FE} = 93.188.164.88,93.188.161.39
TCP: {955C0F16-A8AF-4A91-BA7B-E070D36F2FC0} = 93.188.164.88,93.188.161.39
TCP: C696E6B6379737 = 93.188.164.88,93.188.161.39
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\{99E00A4C-D35E-11DD-BA95-9B6A56D89593}\components\ooVooCtl.dll
FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nzwtktkm.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-sabyqnpv - c:\users\Chris\AppData\Local\ppbblx\amtysftav.exe
HKLM-RunOnce- - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-Nexus Radio - c:\program files\Nexus Radio\Nexus Radio.exe
MSConfigStartUp-Sharkbyte - c:\program files\Grooveshark\sharkbyte.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-Carnivores - d:\carnivor\Uninst.isu
AddRemove-HijackThis - c:\users\Chris\Software\HijackThis.exe



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x850908C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x842e8c30
QueryNameProcedure -> 0x842e8dc0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\CLSID\{390d3c76-17d2-41fc-9bd2-ea32884179aa}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,23,4e,f0,f6,1b,c3,fd,5f,d2,5a,aa,88,37,57,ad,3c,99,af,83,99,26,89,\
"Model"=dword:000000e9
"Therad"=dword:0000001e

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):1d,13,6a,2d,82,36,26,8f,b9,00,ee,f9,eb,65,54,40,d3,2b,c5,41,e1,
14,f0,87,3c,fc,af,c1,81,50,33,1f,8d,29,90,6e,6d,38,be,26,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\VirtualStore\MACHINE\SOFTWARE\America Online\AOL\CurrentVersion]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\VirtualStore\MACHINE\SOFTWARE\inKline Global\PC Booster 2008]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\VirtualStore\MACHINE\SOFTWARE\S3R521\R6BXJB2B3A2HZCYV4646]
@DACL=(02 0000)
"BRW6"=dword:48645931

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\VirtualStore\MACHINE\SOFTWARE\SpeedBit\Download Accelerator\DBS]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-174263960-1074974419-3485214493-1000_Classes\VirtualStore\MACHINE\SOFTWARE\SpeedBit\Download Accelerator\Improv_DB]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-02-16 11:03:45
ComboFix-quarantined-files.txt 2010-02-16 16:03

Pre-Run: 9,100,759,040 bytes free
Post-Run: 8,999,346,176 bytes free

- - End Of File - - 2AC01A9A2FF0E06ADA6501CF6DC7BBD3

xmchrismx
Novice
Novice

Posts Posts : 14
Joined Joined : 2010-02-16
OS OS : windows 7
Points Points : 25019
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake System Security virus

Post by Dr Jay on 17th February 2010, 2:43 am

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake System Security virus

Post by Dr Jay on 24th February 2010, 6:21 pm

Still with us? If so, please do the following:

Please download DDS by sUBs from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click Yes to the Optional_Scan
  • Please follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your Desktop.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum