Author Topic: [Resolved K] fake anti virus ads  (Read 1448 times)

0 Members and 1 Guest are viewing this topic.

Offline posse4000s

  • Bronze Member
  • Posts: 56
[Resolved K] fake anti virus ads
« on: December 06, 2012, 01:53:10 pm »
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 6.0.2900.5512  BrowserJavaVersion: 10.1.0
Run by Happy Happy Joy Joy at 12:45:25 on 2012-12-06
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2530 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [Starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge] <no file>
uRunOnce: [B871983F6C1955700000B870DFD75E42] c:\documents and settings\all users\application data\b871983f6c1955700000b870dfd75e42\B871983F6C1955700000B870DFD75E42.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Smart File Advisor] "c:\program files\smart file advisor\sfa.exe" /checkassoc
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [pdfFactory Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [isjasc] "c:\windows\system32\rundll32.exe" "c:\documents and settings\barber family\application data\isjasc.dll",Long_AsLong
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoSetActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1310322724149
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{7D16CD17-053F-4F05-9447-0EFF070E7A47} : DHCPNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\barber family\application data\mozilla\firefox\profiles\lauacvsq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\barber family\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\barber family\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\barber family\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\barber family\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - ExtSQL: 2012-12-06 10:14; {37d64652-bd94-4997-aec2-76727a7ac63c}; c:\documents and settings\barber family\application data\mozilla\firefox\profiles\lauacvsq.default\extensions\{37d64652-bd94-4997-aec2-76727a7ac63c}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-30 12:02; zoomext@starfield; c:\program files\mozilla firefox\extensions\zoomext@starfield
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys [2011-7-14 344448]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 193552]
S1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\43926\RapportCerberus32_43926.sys [2012-10-30 272216]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-11-7 71480]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
S2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\drivers\Ca50xav.sys [2005-1-27 508304]
S2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2010-7-16 1174824]
S2 gupdate1c9867bb6b5ffd0;Google Update Service (gupdate1c9867bb6b5ffd0);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-11-7 976728]
S2 Salsvc;Salsvc;c:\program files\softactivity\skl\alsvc.exe [2009-7-21 38768]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S2 WeOnlyDo wodAppUpdate Service;WeOnlyDo wodAppUpdate Service;c:\windows\system32\wodUpdSv.exe [2009-6-22 28144]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-11-26 101392]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-7-24 16194]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-28 42512]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\39624\RapportIaso.sys [2012-5-30 21520]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-11-7 65848]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-11-7 166840]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2012-5-12 59464]
S3 SAgentDriver;SAgent Driver;c:\program files\softactivity\skl\sagendrv.sys [2009-7-21 31088]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-10-2 3064000]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile="c:\windows\notepad.exe" "%1"
.
=============== Created Last 30 ================
.
2012-12-06 16:46:05   --------   d-----w-   c:\documents and settings\all users\application data\B871983F6C1955700000B870DFD75E42
2012-12-06 16:45:07   580096   ----a-w-   c:\documents and settings\barber family\application data\isjasc.dll
2012-12-06 16:45:02   59904   ---ha-w-   c:\windows\system32\hppaetup.dll
2012-12-06 16:44:14   161792   ----a-w-   c:\documents and settings\barber family\application data\sbcof.dll
2012-12-06 14:40:25   6812136   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{16b149cf-03ea-467e-aa7d-98b376ac247e}\mpengine.dll
2012-12-04 22:54:17   6812136   ----a-w-   c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-26 22:28:13   --------   d-----w-   c:\documents and settings\barber family\local settings\application data\ATI
2012-11-26 22:25:56   --------   d-----w-   c:\program files\My Company Name
2012-11-26 22:25:00   --------   d-----w-   c:\program files\common files\ATI Technologies
2012-11-26 22:23:54   --------   d-----w-   c:\program files\ATI
2012-11-26 22:23:28   --------   d-----w-   c:\program files\ATI Technologies
2012-11-14 17:03:01   --------   d-----w-   c:\documents and settings\barber family\local settings\application data\FileMaker
2012-11-14 17:03:00   --------   d-----w-   c:\documents and settings\barber family\local settings\application data\CNS
2012-11-14 17:00:38   385024   ------w-   c:\windows\system32\fppmon3.dll
2012-11-14 17:00:38   282624   ------w-   c:\windows\system32\fppr332.dll
2012-11-14 15:27:56   --------   d-----w-   C:\Inspector FX
2012-11-07 23:29:48   65848   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M  ====================
.
2012-12-03 21:23:33   60   ----a-w-   c:\windows\wpd99.drv
2012-11-26 22:24:42   0   ----a-w-   c:\windows\ativpsrm.bin
2012-11-14 15:09:05   697272   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-11-14 15:09:04   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37:31   1866368   ----a-w-   c:\windows\system32\win32k.sys
2012-10-09 03:09:11   10220472   ----a-w-   c:\windows\system32\FlashPlayerInstaller.exe
2012-10-02 18:04:21   58368   ----a-w-   c:\windows\system32\synceng.dll
2012-09-20 04:53:57   111688   ----a-w-   c:\documents and settings\barber family\x.exe
.
============= FINISH: 12:49:52.10 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/24/2006 4:47:37 PM
System Uptime: 12/6/2012 12:38:14 PM (0 hours ago)
.
Motherboard: Dell Inc.           |  | 0YC523
Processor:               Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 12.208 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop CS5.1
Adobe Reader X (10.1.4)
AiO_Scan
Akamai NetSession Interface
Akamai NetSession Interface Service
AnyDVD
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUS VGA Driver
ATI AVIVO Codecs
ATI Catalyst Install Manager
Autodesk Land Desktop 2005
AutoUpdate
BlackBerry Desktop Software 4.5
Bonjour
Camera Access Library
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility
CCC Help English
Compatibility Pack for the 2007 Office system
Creative Audio Console
Creative MediaSource
Dell Resource CD
Disney Flix 2.0
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Dreamship Tales
Dropbox
DVD Shrink 3.2
DVDFab 8.1.6.3 (11/02/2012) Qt
ESPNMotion
FLV Player 2.0 (build 25)
Free RAR Extract Frog
GemMaster Mystic
Google Earth
Google Update Helper
Home Inspector Pro 3
HomeGauge5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP PSC & OfficeJet 5.3.B
HydraVision
IKEA HomePlanner Kitchen
Inspector FX 8.5
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
iPod for Windows 2005-10-12
iTunes
Java Auto Updater
Java(TM) 7 Update 1
Last.fm 1.5.4.27091
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.0 Security Update (KB2698035)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft XML Parser
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
MovieEdit Task
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NASA World Wind 1.4
NVIDIA Control Panel 301.42
NVIDIA Graphics Driver 301.42
NVIDIA Install Application
NVIDIA nView 136.27
NVIDIA Update 1.8.15
NVIDIA Update Components
Otto
PDF Settings CS5
Pdf995
pdfFactory
Pencil-Pal Preschool
PhotoStitch
PowerDVD 5.5
QFolder
QuickTime
Rapport
RAW Image Task 2.2
Roxio Media Manager
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2675157)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2699988)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2722913)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2744842)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Setup1
Skins
Skype Click to Call
Skype™ 5.10
Smart File Advisor 1.1.1
Sonic Encoders
Sonic Update Manager
Sound Blaster X-Fi
Spider-Man Photo Lab
StuffIt Expander 2010
Uninstall Dual Mode Camera
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCDS Release 11.11.3
Viewpoint Media Player
Web-Based Email Tools
WebFldrs XP
WildGames
Windows Driver Package - Ross-Tech USB Driver Package (06/16/2010 2.06.02)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format Runtime
Windows PowerShell(TM) 1.0
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinPatrol
WinPcap 4.0.1
Wizard101
Workspace Desktop
Yahoo! Browser Services
Yahoo! Internet Mail
.
==== Event Viewer Messages From Past Week ========
.
12/4/2012 8:26:40 AM, error: Service Control Manager [7000]  - The Digital Blue DMC2 Video Device service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/4/2012 8:25:33 AM, error: Dhcp [1002]  - The IP address lease 192.168.2.4 for the Network Card with network address 00095BE812D3 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
12/2/2012 9:40:27 AM, error: Service Control Manager [7038]  - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
12/2/2012 9:40:27 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
12/2/2012 9:40:27 AM, error: Service Control Manager [7000]  - The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.
.
==== End Of File ===========================
« Last Edit: December 15, 2012, 06:06:53 pm by kevinf80 »



Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #1 on: December 06, 2012, 02:13:42 pm »
Hiya posse4000s,

You`ve been here before so are fully aare of what is expected, do the following and post the two produced logs...

1. Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/
2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe



4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.



7. The following image opens, select Update



8. When the Update completes, select Next



9. In the following window ensure "Targets" are ticked. Then select "Scan"



10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:



11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:



12. Select "Yes" to close down the program. If NO infections were found you will see the following image:



13. Select "Exit" to close down.
14. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown



Post those two logs in your reply.

Kevin


Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #2 on: December 06, 2012, 04:12:57 pm »
Thank you:


Malwarebytes Anti-Rootkit 1.1.0.1009


 v2012.12.06.12

Windows XP Service Pack 3 x86 NTFS
 6.0.2900.5512
Happy Happy Joy Joy :: BARBER

12/6/2012 3:11:14 PM
mbar-log-2012-12-06 (15-11-14).txt

 
 
 
 31182
 56 , 13

 0


 0


 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) ->  [00fb5d7c4b128fa77c9e5ee59072a35d]

 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B871983F6C1955700000B870DFD75E42 (Trojan.FakeAlert.SSGen) ->  C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe ->  [ef0c37a2d687112501694b5c946fe11f]

 0


 6
C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection (Rogue.SystemProgressiveProtection) ->  [e4174a8f97c67db936693572f013b24e]
c:\windows\$ntuninstallkb44758$\218473427\l (Backdoor.0Access) ->  [807ba7324a13e155a0f520e0aa56b54b]
c:\windows\$ntuninstallkb44758$\218473427\u (Backdoor.0Access) ->  [22d9855488d5fe38633307f97c84e020]
c:\windows\$ntuninstallkb44758$\1117203828 (Backdoor.0Access) ->  [1dde9d3cc4993cfad3c4b0505ca431cf]
C:\WINDOWS\$NtUninstallKB20777$\218473427 (Backdoor.0Access) ->  [3bc089508ad37eb8e9af7e8229d7817f]
c:\windows\$ntuninstallkb44758$\218473427 (Backdoor.0Access) ->  [1edd43967ce1c86e544436ca39c75fa1]

 20
C:\WINDOWS\system32\drivers\redbook.sys (Trojan.Agent) ->  [4ec0601086b90fb99f3639661b0d7c94]
C:\WINDOWS\system32\c_20315.nls (Backdoor.0Access) ->  [0af16871d588ca6c10fe837dd92714ec]
C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part (PUP.FunWebProducts) ->  [9863eceda6b79e98c0af9f4bf80b30d0]
C:\Documents and Settings\Barber Family\Local Settings\Application Data\Temp\{55595579-E3BB-4B94-B487-0919C76A5F23} (Trojan.P2P.Worm) ->  [bd3eb425233a181e5e74eb5556aaf808]
c:\windows\$ntuninstallkb44758$\218473427\l\00000004.@ (Backdoor.0Access) ->  [7e7d32a7e97416206f20a35d11efa55b]
c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde (Backdoor.0Access) ->  [df1c4a8f4e0fd3633a55e020f70955ab]
c:\windows\$ntuninstallkb44758$\218473427\l\4cce1f70 (Backdoor.0Access) ->  [7e7ddefb45182214c0cf89778e729769]
c:\windows\$ntuninstallkb44758$\218473427\l\xewgpjnn (Backdoor.0Access) ->  [54a74d8c431ab97d3659e61aca367c84]
c:\windows\$ntuninstallkb44758$\218473427\u\00000004.@ (Backdoor.0Access) ->  [d922ba1f4716ec4a2964956ba15feb15]
c:\windows\$ntuninstallkb44758$\218473427\u\00000008.@ (Backdoor.0Access) ->  [b546b623de7f8da9ddb02dd3fd03f709]
c:\windows\$ntuninstallkb44758$\218473427\u\000000cb.@ (Backdoor.0Access) ->  [916a24b5c29bf83e4944d22e966ade22]
c:\windows\$ntuninstallkb44758$\218473427\u\80000000.@ (Backdoor.0Access) ->  [cf2c13c6401dc5714746b54b9b65ff01]
c:\windows\$ntuninstallkb44758$\218473427\u\80000032.@ (Backdoor.0Access) ->  [e417b2275d004ee898f58080a65a629e]
C:\Documents and Settings\Barber Family\Desktop\Eric\IWON.exe (PUP.FunWebProducts) ->  [aa51ffda3e1ff93d6f00be2c35cebb45]
C:\WINDOWS\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk (Rogue.RapidAntiVirus) ->  [9e5d29b09bc28bab329c138f9969b34d]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Rapid Antivirus.lnk (Rogue.RapidAntiVirus) ->  [f3085386b6a7ce68bf2cfbbc778b5ba5]
C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) ->  [e4174a8f97c67db936693572f013b24e]
C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe (Trojan.FakeAlert.SSGen) ->  [ef0c37a2d687112501694b5c946fe11f]
c:\windows\$ntuninstallkb44758$\218473427\@ (Backdoor.0Access) ->  [1edd43967ce1c86e544436ca39c75fa1]
c:\windows\$ntuninstallkb44758$\218473427\desktop.ini (Backdoor.0Access) ->  [1edd43967ce1c86e544436ca39c75fa1]


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2704084992

------------ Kernel report ------------
     12/06/2012 13:45:12
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
iaStor.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\wg311tn5.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\systemroot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ab94ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8b4d6030
Lower Device Driver Name: \Driver\iastor\
Driver name found: iastor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.06.12
Downloaded database version: v2012.12.03.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ab94ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab95a88, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab94ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b4d6030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Upper DeviceData: 0xffffffffe37aad68, 0xffffffff8ab94ab8, 0xffffffff8a42a4a0
Lower DeviceData: 0xffffffffe3798710, 0xffffffff8b4d6030, 0xffffffff8a420498
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\WINDOWS\system32\drivers\redbook.sys --> [Trojan.Agent]
Replacement file found for a file C:\WINDOWS\system32\drivers\redbook.sys
File C:\WINDOWS\system32\drivers\redbook.sys --> [Forged file]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8E138E13

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488263482
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} --> [Adware.Softomate]
Infected: C:\Documents and Settings\Barber Family\Desktop\XvidSetup.exe --> [Adware.HotBar]
Infected: C:\WINDOWS\system32\c_20315.nls --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part --> [PUP.FunWebProducts]
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2770591744

------------ Kernel report ------------
     12/06/2012 14:14:27
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
iaStor.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\wg311tn5.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\systemroot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b4c7ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8afa3030
Lower Device Driver Name: \Driver\iastor\
Driver name found: iastor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab9be08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8afa3030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Upper DeviceData: 0xffffffffe36306f8, 0xffffffff8b4c7ab8, 0xffffffff8a430630
Lower DeviceData: 0xffffffffe357cda0, 0xffffffff8afa3030, 0xffffffff8a44bcd0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\WINDOWS\system32\drivers\redbook.sys --> [Trojan.Agent]
Replacement file found for a file C:\WINDOWS\system32\drivers\redbook.sys
File C:\WINDOWS\system32\drivers\redbook.sys --> [Forged file]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8E138E13

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488263482
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} --> [Adware.Softomate]
Infected: C:\WINDOWS\system32\c_20315.nls --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part --> [PUP.FunWebProducts]
Infected: C:\Documents and Settings\Barber Family\Local Settings\Application Data\Temp\{55595579-E3BB-4B94-B487-0919C76A5F23} --> [Trojan.P2P.Worm]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\00000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\4cce1f70 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\xewgpjnn --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000004.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000008.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\000000cb.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000000.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000032.@ --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Desktop\Eric\IWON.exe --> [PUP.FunWebProducts]
Infected: C:\WINDOWS\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk --> [Rogue.SystemProgressiveProtection]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection --> [Rogue.SystemProgressiveProtection]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B871983F6C1955700000B870DFD75E42 --> [Trojan.FakeAlert.SSGen]
Infected: C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe --> [Trojan.FakeAlert.SSGen]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\1117203828 --> [Backdoor.0Access]
Infected: C:\WINDOWS\$NtUninstallKB20777$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\desktop.ini --> [Backdoor.0Access]
Done!
Scan finished
=======================================

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #3 on: December 06, 2012, 04:19:04 pm »
OK, we can take MBAR one step further, continue as follows:

1. Open the mbar folder  run mbar.exe as before....



2. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



3. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

4. The following image opens, select Next.



5. The following image opens, select Update



6. When the update completes select Next.



7. In the following window ensure "Targets" are ticked. Then select "Scan"



8. If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats. Or if you are sure any entries should not be kept, just untick them.



9. The Clean up procedure will be Scheduled for process.



10. When scheduling is complete the following image will appear,



11. Select the Yes tab, the system should re-boot to complete the cleaning process.

12. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown, (copy/paste the most recent by date/time)



Thanks,

Kevin

Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #4 on: December 06, 2012, 05:49:24 pm »
The fake anti software did not auto start.  however i am still not able to start Microsoft Security Essentials "The specified service does not exist as an installed service."  "Error code 0x800704224".

And I did not get any tab pop ups either.  Following are the two logs.  Thank you!


Malwarebytes Anti-Rootkit 1.1.0.1009


 v2012.12.06.12

Windows XP Service Pack 3 x86 NTFS
 6.0.2900.5512
Happy Happy Joy Joy :: BARBER

12/6/2012 4:19:32 PM
mbar-log-2012-12-06 (16-19-32).txt

 
 
 
 31186
 54 , 50

 0


 0


 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) ->  [0eedeaef67f69e988b8fc18259a902fe]

 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B871983F6C1955700000B870DFD75E42 (Trojan.FakeAlert.SSGen) ->  C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe ->  [56a5a53464f939fd2f3bfbac8380629e]

 0


 6
C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection (Rogue.SystemProgressiveProtection) ->  [0cefd603104dde58f7a83e69b74cbc44]
c:\windows\$ntuninstallkb44758$\218473427\l (Backdoor.0Access) ->  [31ca85544c1148eeb9dc56aa2bd55da3]
c:\windows\$ntuninstallkb44758$\218473427\u (Backdoor.0Access) ->  [37c4ce0b94c96acc5244f70911ef8e72]
c:\windows\$ntuninstallkb44758$\1117203828 (Backdoor.0Access) ->  [19e2c811de7f67cf5e3918e8ee12c63a]
C:\WINDOWS\$NtUninstallKB20777$\218473427 (Backdoor.0Access) ->  [e21937a2bca1ff379afe7888b749ae52]
c:\windows\$ntuninstallkb44758$\218473427 (Backdoor.0Access) ->  [748742977de0e94ddebae020e51bf40c]

 20
C:\WINDOWS\system32\drivers\redbook.sys (Trojan.Agent) ->  [4ec0601086b90fb99f3639661b0d7c94]
C:\WINDOWS\system32\c_20315.nls (Backdoor.0Access) ->  [8e6dffda025bb77f888636cafc04dd23]
C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part (PUP.FunWebProducts) ->  [12e99b3e2f2e4ee80e61bb2f3bc847b9]
C:\Documents and Settings\Barber Family\Local Settings\Application Data\Temp\{55595579-E3BB-4B94-B487-0919C76A5F23} (Trojan.P2P.Worm) ->  [3ebdbe1b253852e4eae8ba86827e3fc1]
c:\windows\$ntuninstallkb44758$\218473427\l\00000004.@ (Backdoor.0Access) ->  [fb0079600e4fa78fdeb13ac6ec140af6]
c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde (Backdoor.0Access) ->  [6497a2370c519d99622db7492ad67e82]
c:\windows\$ntuninstallkb44758$\218473427\l\4cce1f70 (Backdoor.0Access) ->  [da21ae2b392438feace354acd030649c]
c:\windows\$ntuninstallkb44758$\218473427\l\xewgpjnn (Backdoor.0Access) ->  [b348e8f1c99411255639b05038c84ab6]
c:\windows\$ntuninstallkb44758$\218473427\u\00000004.@ (Backdoor.0Access) ->  [36c59c3df36a1e1866275fa1c13f53ad]
c:\windows\$ntuninstallkb44758$\218473427\u\00000008.@ (Backdoor.0Access) ->  [b2497e5b19442115533a679948b857a9]
c:\windows\$ntuninstallkb44758$\218473427\u\000000cb.@ (Backdoor.0Access) ->  [52a9d0093b228caab3da19e7fe02ee12]
c:\windows\$ntuninstallkb44758$\218473427\u\80000000.@ (Backdoor.0Access) ->  [36c5e7f2fa63ca6c820b0bf5669a827e]
c:\windows\$ntuninstallkb44758$\218473427\u\80000032.@ (Backdoor.0Access) ->  [3dbec316de7fa19537569d632ed28c74]
C:\Documents and Settings\Barber Family\Desktop\Eric\IWON.exe (PUP.FunWebProducts) ->  [807b2eabbda0ff37ef805397b053ea16]
C:\WINDOWS\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk (Rogue.RapidAntiVirus) ->  [0deeb623cb923204fdd1f1b10ff3c33d]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Rapid Antivirus.lnk (Rogue.RapidAntiVirus) ->  [5e9dc61396c764d2a447833489798878]
C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) ->  [0cefd603104dde58f7a83e69b74cbc44]
C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe (Trojan.FakeAlert.SSGen) ->  [56a5a53464f939fd2f3bfbac8380629e]
c:\windows\$ntuninstallkb44758$\218473427\@ (Backdoor.0Access) ->  [748742977de0e94ddebae020e51bf40c]
c:\windows\$ntuninstallkb44758$\218473427\desktop.ini (Backdoor.0Access) ->  [748742977de0e94ddebae020e51bf40c]


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2704084992

------------ Kernel report ------------
     12/06/2012 13:45:12
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
iaStor.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\wg311tn5.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\systemroot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ab94ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8b4d6030
Lower Device Driver Name: \Driver\iastor\
Driver name found: iastor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.06.12
Downloaded database version: v2012.12.03.01
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ab94ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab95a88, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab94ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b4d6030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Upper DeviceData: 0xffffffffe37aad68, 0xffffffff8ab94ab8, 0xffffffff8a42a4a0
Lower DeviceData: 0xffffffffe3798710, 0xffffffff8b4d6030, 0xffffffff8a420498
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\WINDOWS\system32\drivers\redbook.sys --> [Trojan.Agent]
Replacement file found for a file C:\WINDOWS\system32\drivers\redbook.sys
File C:\WINDOWS\system32\drivers\redbook.sys --> [Forged file]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8E138E13

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488263482
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} --> [Adware.Softomate]
Infected: C:\Documents and Settings\Barber Family\Desktop\XvidSetup.exe --> [Adware.HotBar]
Infected: C:\WINDOWS\system32\c_20315.nls --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part --> [PUP.FunWebProducts]
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2770591744

------------ Kernel report ------------
     12/06/2012 14:14:27
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
iaStor.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\wg311tn5.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\systemroot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b4c7ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8afa3030
Lower Device Driver Name: \Driver\iastor\
Driver name found: iastor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab9be08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8afa3030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Upper DeviceData: 0xffffffffe36306f8, 0xffffffff8b4c7ab8, 0xffffffff8a430630
Lower DeviceData: 0xffffffffe357cda0, 0xffffffff8afa3030, 0xffffffff8a44bcd0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\WINDOWS\system32\drivers\redbook.sys --> [Trojan.Agent]
Replacement file found for a file C:\WINDOWS\system32\drivers\redbook.sys
File C:\WINDOWS\system32\drivers\redbook.sys --> [Forged file]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8E138E13

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488263482
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} --> [Adware.Softomate]
Infected: C:\WINDOWS\system32\c_20315.nls --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part --> [PUP.FunWebProducts]
Infected: C:\Documents and Settings\Barber Family\Local Settings\Application Data\Temp\{55595579-E3BB-4B94-B487-0919C76A5F23} --> [Trojan.P2P.Worm]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\00000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\4cce1f70 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\xewgpjnn --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000004.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000008.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\000000cb.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000000.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000032.@ --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Desktop\Eric\IWON.exe --> [PUP.FunWebProducts]
Infected: C:\WINDOWS\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk --> [Rogue.SystemProgressiveProtection]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection --> [Rogue.SystemProgressiveProtection]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B871983F6C1955700000B870DFD75E42 --> [Trojan.FakeAlert.SSGen]
Infected: C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe --> [Trojan.FakeAlert.SSGen]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\1117203828 --> [Backdoor.0Access]
Infected: C:\WINDOWS\$NtUninstallKB20777$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\desktop.ini --> [Backdoor.0Access]
Done!
Scan finished
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2683645952

------------ Kernel report ------------
     12/06/2012 15:24:30
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
iaStor.sys
atapi.sys
cercsr6.sys
\WINDOWS\System32\Drivers\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\wg311tn5.sys
\SystemRoot\System32\Drivers\AnyDVD.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\systemroot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iastor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b4c7ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8afa3030
Lower Device Driver Name: \Driver\iastor\
Device already Exists: 0xffffffff8a44bcd0
Initializing...
Done!
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8ab9be08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b4c7ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8afa3030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iastor\
------------ End ----------
Upper DeviceData: 0xffffffffe3e5a3c0, 0xffffffff8b4c7ab8, 0xffffffff8a430630
Lower DeviceData: 0xffffffffe37db560, 0xffffffff8afa3030, 0xffffffff8a44bcd0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Infected: C:\WINDOWS\system32\drivers\redbook.sys --> [Trojan.Agent]
Replacement file found for a file C:\WINDOWS\system32\drivers\redbook.sys
File C:\WINDOWS\system32\drivers\redbook.sys --> [Forged file]
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8E138E13

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 488263482
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250000000000 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...
Done!
Performing system, memory and registry scan...
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} --> [Adware.Softomate]
Infected: C:\WINDOWS\system32\c_20315.nls --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Local Settings\temp\zf+bGpqw.exe.part --> [PUP.FunWebProducts]
Infected: C:\Documents and Settings\Barber Family\Local Settings\Application Data\Temp\{55595579-E3BB-4B94-B487-0919C76A5F23} --> [Trojan.P2P.Worm]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\00000004.@ --> [Backdoor.0Access]
Read File: File "c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\201d3dde --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\4cce1f70 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l\xewgpjnn --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000004.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\00000008.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\000000cb.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000000.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u\80000032.@ --> [Backdoor.0Access]
Infected: C:\Documents and Settings\Barber Family\Desktop\Eric\IWON.exe --> [PUP.FunWebProducts]
Infected: C:\WINDOWS\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\Rapid Antivirus.lnk --> [Rogue.RapidAntiVirus]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk --> [Rogue.SystemProgressiveProtection]
Infected: C:\Documents and Settings\Barber Family\Start Menu\Programs\System Progressive Protection --> [Rogue.SystemProgressiveProtection]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|B871983F6C1955700000B870DFD75E42 --> [Trojan.FakeAlert.SSGen]
Infected: C:\Documents and Settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42\B871983F6C1955700000B870DFD75E42.exe --> [Trojan.FakeAlert.SSGen]
Infected: c:\windows\$ntuninstallkb44758$\218473427\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\u --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\1117203828 --> [Backdoor.0Access]
Infected: C:\WINDOWS\$NtUninstallKB20777$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb44758$\218473427\desktop.ini --> [Backdoor.0Access]
Done!
Scan finished
Creating System Restore point...
Could not create restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 6.0.2900.5512

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.793000 GHz
Memory total: 3219222528, free: 2717470720





Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #5 on: December 06, 2012, 06:18:26 pm »
Yep nasty zeroaccess infection in addition to the fake software, as usual there maybe remnants/leftover additional issues to take care of.

Best to continue with Combofix to check what may still be present..

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

Combofix

  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.

  • Close any open browsers and any other programs you might have running
  • Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

  • Instructions for running Combofix available Here if required.

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why  disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

As you have an issue with MSE probably the best way forward is to UNinstall it, then Re-install and see if it will run OK...

Kevin

Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #6 on: December 07, 2012, 10:06:50 am »
OK i will uninstall MSE and reinstall, here is the log from Combo Fix, it did reboot the machine and ran itself again to create the following:

ComboFix 12-12-04.01 - Happy Happy Joy Joy 12/07/2012   8:14.7.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2554 [GMT -7:00]
Running from: c:\documents and settings\Barber Family\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Barber Family\Application Data\isjasc.dll
c:\documents and settings\Barber Family\Application Data\sbcof.dll
c:\documents and settings\Barber Family\x.exe
c:\windows\system32\config\systemprofile\Application Data\7ab4848fd6d01acd
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-11-07 to 2012-12-07  )))))))))))))))))))))))))))))))
.
.
2012-12-06 16:46 . 2012-12-06 23:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42
2012-12-06 16:45 . 2012-12-06 16:45   59904   ---ha-w-   c:\windows\system32\hppaetup.dll
2012-12-06 14:40 . 2012-11-08 18:00   6812136   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{16B149CF-03EA-467E-AA7D-98B376AC247E}\mpengine.dll
2012-12-04 22:54 . 2012-11-08 18:00   6812136   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\ATI
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\Barber Family\Application Data\ATI
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\ATI
2012-11-26 22:25 . 2012-11-26 22:25   --------   d-----w-   c:\program files\My Company Name
2012-11-26 22:25 . 2012-11-26 22:25   --------   d-----w-   c:\program files\Common Files\ATI Technologies
2012-11-26 22:23 . 2012-11-26 22:23   --------   d-----w-   c:\program files\ATI
2012-11-26 22:23 . 2012-11-26 22:25   --------   d-----w-   c:\program files\ATI Technologies
2012-11-14 17:03 . 2012-11-14 17:03   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\FileMaker
2012-11-14 17:03 . 2012-11-14 17:03   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\CNS
2012-11-14 17:00 . 2009-06-12 22:39   385024   ------w-   c:\windows\system32\fppmon3.dll
2012-11-14 17:00 . 2009-06-12 22:39   282624   ------w-   c:\windows\system32\fppr332.dll
2012-11-14 15:27 . 2012-11-14 15:27   --------   d-----w-   C:\Inspector FX
2012-11-07 23:29 . 2012-11-07 23:29   65848   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-14 15:09 . 2012-03-30 00:06   697272   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-11-14 15:09 . 2011-07-08 02:17   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-22 08:37 . 2004-08-10 11:00   1866368   ----a-w-   c:\windows\system32\win32k.sys
2012-10-09 03:09 . 2012-08-15 03:09   10220472   ----a-w-   c:\windows\system32\FlashPlayerInstaller.exe
2012-10-02 18:04 . 2004-08-10 11:00   58368   ----a-w-   c:\windows\system32\synceng.dll
2012-12-05 09:55 . 2012-12-05 09:53   262112   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\off0]
@="{8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5}"
[HKEY_CLASSES_ROOT\CLSID\{8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5}]
2012-05-26 15:42   1065776   ----a-w-   c:\program files\Workspace\offsyncext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\off1]
@="{8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5}"
[HKEY_CLASSES_ROOT\CLSID\{8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5}]
2012-05-26 15:42   1065776   ----a-w-   c:\program files\Workspace\offsyncext.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Akamai NetSession Interface"="c:\documents and settings\Barber Family\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-10-09 4441920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-07 19968]
"CTHelper"="CTHELPER.EXE" [2005-09-19 16384]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Smart File Advisor"="c:\program files\Smart File Advisor\sfa.exe" [2011-04-04 280824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"NvMediaCenter"="NvMCTray.dll" [2012-05-15 108352]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-06-12 606208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys [10/30/2012 1:26 AM 272216]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/7/2012 4:29 PM 71480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 4:00 AM 14336]
R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [7/16/2010 1:47 PM 1174824]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/7/2012 4:29 PM 976728]
R2 Salsvc;Salsvc;c:\program files\SoftActivity\SKL\alsvc.exe [7/21/2009 5:55 AM 38768]
R2 WeOnlyDo wodAppUpdate Service;WeOnlyDo wodAppUpdate Service;c:\windows\system32\wodUpdSv.exe [6/22/2009 6:20 PM 28144]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [11/26/2012 3:24 PM 101392]
R3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys [7/14/2011 4:27 PM 344448]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/30/2012 12:01 AM 21520]
S2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\drivers\Ca50xav.sys [1/27/2005 7:06 PM 508304]
S2 gupdate1c9867bb6b5ffd0;Google Update Service (gupdate1c9867bb6b5ffd0);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 8:50 PM 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:14 PM 160944]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [7/24/2006 9:54 PM 16194]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 5:01 PM 42512]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/7/2012 4:29 PM 65848]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/7/2012 4:29 PM 166840]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [5/12/2012 12:05 PM 59464]
S3 SAgentDriver;SAgent Driver;c:\program files\SoftActivity\SKL\sagendrv.sys [7/21/2009 5:55 AM 31088]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/2/2012 12:13 PM 3064000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 15:09]
.
2012-12-05 c:\windows\Tasks\AdobeAAMUpdater-1.0-BARBER-Happy Happy Joy Joy.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-10-29 22:43]
.
2012-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 03:50]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 03:50]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: skytonight.com\skychart
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Barber Family\Application Data\Mozilla\Firefox\Profiles\lauacvsq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-07 07:26; {37d64652-bd94-4997-aec2-76727a7ac63c}; c:\documents and settings\Barber Family\Application Data\Mozilla\Firefox\Profiles\lauacvsq.default\extensions\{37d64652-bd94-4997-aec2-76727a7ac63c}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-30 12:02; zoomext@starfield; c:\program files\Mozilla Firefox\extensions\zoomext@starfield
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
HKLM-Run-isjasc - c:\documents and settings\Barber Family\Application Data\isjasc.dll
SafeBoot-MsMpSvc
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-07 08:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-12-07  08:32:56
ComboFix-quarantined-files.txt  2012-12-07 15:32
.
Pre-Run: 12,899,213,312 bytes free
Post-Run: 14,543,544,320 bytes free
.
- - End Of File - - 85524F7788A831779ADBFCD207151408

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #7 on: December 07, 2012, 12:19:22 pm »
We need to upload a file to Jotti

1. Click http://virusscan.jotti.org/ to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\windows\system32\hppaetup.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.


Upload Same File to Virustotal

Go to http://www.virustotal.com/
  • Click the Browse... button
  • Navigate to the file c:\windows\system32\hppaetup.dll or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Kevin

Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #8 on: December 07, 2012, 02:06:54 pm »
I could not find the hppaetup.dll file anywhere on my C: drive....

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #9 on: December 07, 2012, 02:52:17 pm »
Yep I guess it has hidden attribute, go here http://www.bleepingcomputer.com/forums/topic43032.html follow the instructions to show hidden files/folders, see if that will allow you to navigate to it...

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #10 on: December 10, 2012, 04:30:54 am »
Do you still need help/advice?

Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #11 on: December 10, 2012, 03:26:03 pm »
yes sorry have been offline for a few days.  I made sure that the "hidden" files were set to be shown, but I still did not see the hppaetup.dll file
Thanks, Eric

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #12 on: December 10, 2012, 04:03:21 pm »
ok, do the following:

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]
ClearJavaCache::
File::
c:\windows\system32\hppaetup.dll
DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
Click Start
  • When asked, allow the add/on to be installed
Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found
If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
close program
copy and paste the report here

Step 3

Download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here http://screen317.changelog.fr/SecurityCheck.exe.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those 3 logs, let me know if you have any remaining issues or concerns..

Kevin

Offline posse4000s

  • Bronze Member
  • Posts: 56
Re: [Resolved K] fake anti virus ads
« Reply #13 on: December 11, 2012, 05:36:56 pm »
Thanks Kevin, here are the 3 logs:

ComboFix 12-12-10.01 - Happy Happy Joy Joy 12/10/2012  17:46:50.8.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.2511 [GMT -7:00]
Running from: c:\documents and settings\Barber Family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Barber Family\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\hppaetup.dll"
.
.
(((((((((((((((((((((((((   Files Created from 2012-11-11 to 2012-12-11  )))))))))))))))))))))))))))))))
.
.
2012-12-11 00:47 . 2012-12-11 00:47   60872   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21DE1369-5091-4CFB-A34F-12395AFC4BC3}\offreg.dll
2012-12-11 00:46 . 2012-12-11 00:46   29904   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21DE1369-5091-4CFB-A34F-12395AFC4BC3}\MpKsla0989891.sys
2012-12-10 14:47 . 2012-11-08 17:00   6812136   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21DE1369-5091-4CFB-A34F-12395AFC4BC3}\mpengine.dll
2012-12-08 16:36 . 2012-11-08 17:00   6812136   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-07 16:14 . 2012-12-07 16:14   --------   d-----w-   c:\program files\Microsoft Security Client
2012-12-06 16:46 . 2012-12-06 23:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\B871983F6C1955700000B870DFD75E42
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\ATI
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\Barber Family\Application Data\ATI
2012-11-26 22:28 . 2012-11-26 22:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\ATI
2012-11-26 22:25 . 2012-11-26 22:25   --------   d-----w-   c:\program files\My Company Name
2012-11-26 22:25 . 2012-11-26 22:25   --------   d-----w-   c:\program files\Common Files\ATI Technologies
2012-11-26 22:23 . 2012-11-26 22:23   --------   d-----w-   c:\program files\ATI
2012-11-26 22:23 . 2012-11-26 22:25   --------   d-----w-   c:\program files\ATI Technologies
2012-11-14 17:03 . 2012-11-14 17:03   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\FileMaker
2012-11-14 17:03 . 2012-11-14 17:03   --------   d-----w-   c:\documents and settings\Barber Family\Local Settings\Application Data\CNS
2012-11-14 17:00 . 2009-06-12 22:39   385024   ------w-   c:\windows\system32\fppmon3.dll
2012-11-14 17:00 . 2009-06-12 22:39   282624   ------w-   c:\windows\system32\fppr332.dll
2012-11-14 15:27 . 2012-11-14 15:27   --------   d-----w-   C:\Inspector FX
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-14 15:09 . 2012-03-30 00:06   697272   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-11-14 15:09 . 2011-07-08 02:17   73656   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-07 23:29 . 2012-11-07 23:29   65848   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys
2012-10-22 08:37 . 2004-08-10 11:00   1866368   ----a-w-   c:\windows\system32\win32k.sys
2012-10-09 03:09 . 2012-08-15 03:09   10220472   ----a-w-   c:\windows\system32\FlashPlayerInstaller.exe
2012-10-02 18:04 . 2004-08-10 11:00   58368   ----a-w-   c:\windows\system32\synceng.dll
2012-12-05 09:55 . 2012-12-05 09:53   262112   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Barber Family\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\off0]
@="{8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5}"
[HKEY_CLASSES_ROOT\CLSID\{8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5}]
2012-05-26 15:42   1065776   ----a-w-   c:\program files\Workspace\offsyncext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\off1]
@="{8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5}"
[HKEY_CLASSES_ROOT\CLSID\{8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5}]
2012-05-26 15:42   1065776   ----a-w-   c:\program files\Workspace\offsyncext.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Akamai NetSession Interface"="c:\documents and settings\Barber Family\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-10-09 4441920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-11-07 19968]
"CTHelper"="CTHELPER.EXE" [2005-09-19 16384]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Smart File Advisor"="c:\program files\Smart File Advisor\sfa.exe" [2011-04-04 280824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"pdfFactory Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-06-12 606208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Barber Family\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsla0989891;MpKsla0989891;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21DE1369-5091-4CFB-A34F-12395AFC4BC3}\MpKsla0989891.sys [12/10/2012 5:46 PM 29904]
R1 RapportCerberus_43926;RapportCerberus_43926;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys [10/30/2012 1:26 AM 272216]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/7/2012 4:29 PM 71480]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 4:00 AM 14336]
R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [7/16/2010 1:47 PM 1174824]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/7/2012 4:29 PM 976728]
R2 Salsvc;Salsvc;c:\program files\SoftActivity\SKL\alsvc.exe [7/21/2009 5:55 AM 38768]
R2 WeOnlyDo wodAppUpdate Service;WeOnlyDo wodAppUpdate Service;c:\windows\system32\wodUpdSv.exe [6/22/2009 6:20 PM 28144]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [11/26/2012 3:24 PM 101392]
R3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys [7/14/2011 4:27 PM 344448]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/30/2012 12:01 AM 21520]
S2 Ca50xav;Digital Blue DMC2 Video Device;c:\windows\system32\drivers\Ca50xav.sys [1/27/2005 7:06 PM 508304]
S2 gupdate1c9867bb6b5ffd0;Google Update Service (gupdate1c9867bb6b5ffd0);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 8:50 PM 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:14 PM 160944]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [7/24/2006 9:54 PM 16194]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 5:01 PM 42512]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/7/2012 4:29 PM 65848]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/7/2012 4:29 PM 166840]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [5/12/2012 12:05 PM 59464]
S3 SAgentDriver;SAgent Driver;c:\program files\SoftActivity\SKL\sagendrv.sys [7/21/2009 5:55 AM 31088]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S4 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [10/2/2012 12:13 PM 3064000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLA0989891
*NewlyCreated* - RAPPORTIASO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 15:09]
.
2012-12-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-BARBER-Happy Happy Joy Joy.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-10-29 22:43]
.
2012-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 18:34]
.
2012-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 03:50]
.
2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 03:50]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: skytonight.com\skychart
FF - ProfilePath - c:\documents and settings\Barber Family\Application Data\Mozilla\Firefox\Profiles\lauacvsq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-07 07:26; {37d64652-bd94-4997-aec2-76727a7ac63c}; c:\documents and settings\Barber Family\Application Data\Mozilla\Firefox\Profiles\lauacvsq.default\extensions\{37d64652-bd94-4997-aec2-76727a7ac63c}.xpi
FF - ExtSQL: !HIDDEN! 2009-09-30 12:02; zoomext@starfield; c:\program files\Mozilla Firefox\extensions\zoomext@starfield
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-10 18:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-12-10  18:05:22
ComboFix-quarantined-files.txt  2012-12-11 01:05
ComboFix2.txt  2012-12-07 15:32
.
Pre-Run: 14,302,498,816 bytes free
Post-Run: 14,310,428,672 bytes free
.
- - End Of File - - 42839447D49EBFE3077477685C04955B

C:\Program Files\SoftActivity\SKL\sagendrv.sys   Win32/Spy.ActivityMonitor.D application
C:\Qoobox\Quarantine\C\Documents and Settings\Barber Family\Application Data\isjasc.dll.vir   a variant of Win32/Medfos.GL trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Barber Family\Application Data\sbcof.dll.vir   a variant of Win32/Medfos.GM trojan
C:\System Volume Information\_restore{10E88403-46D8-4963-B338-95ECF663527B}\RP1\A0000026.dll   a variant of Win32/Medfos.GL trojan
C:\System Volume Information\_restore{10E88403-46D8-4963-B338-95ECF663527B}\RP1\A0000027.dll   a variant of Win32/Medfos.GM trojan


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

 Results of screen317's Security Check version 0.99.56 
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Microsoft Security Essentials   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 WinPatrol
 Java(TM) 7 Update 1 
 Java version out of Date!
 Adobe Flash Player    11.5.502.110 
 Adobe Reader 10.1.4 Adobe Reader out of Date! 
 Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 WinPatrol winpatrol.exe
 BillP Studios WinPatrol winpatrol.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````[/u]

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7144
Re: [Resolved K] fake anti virus ads
« Reply #14 on: December 11, 2012, 06:26:50 pm »
OK do the following:

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")


  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

Delete MBAR folder from your Desktop..

Next,

We need to remove ESET Online Scanner (If installed).

  • Click Start, click Run, type control appwiz.cpl in the Open box, and then press ENTER.
  • Click to select ESET Online Scanner from the application list, and then click Remove. Only re-boot if prompted
Next,

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.


Any tools/logs remaining on the Desktop can be deleted.

Next,

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

Step 1 - Select your Operating System.
Step 2 - Select your Langauge.
Step 3 - Select latest version.

Untick the option for McAfee security scanner if offered.

Download and install.

Having the latest updates ensures there are no security vulnerabilities in your system.

Next,

Your Java maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ and click on "Do I have Java"
It will check your current version and then offer to update to the latest version
Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

Next,

Download TFC  to your desktop, from either of the following links
http://oldtimer.geekstogo.com/TFC.exe
http://itxassociates.com/OT-Tools/TFC.exe
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete OK, also if any issues or concerns remain...

Kevin