Jump to content

XP Security 2012 Rouge, and constant outgoing connections being detected


Recommended Posts

OK, I have probably already caused more damage than good trying to fix this but here goes anyway.

About 2 weeks ago this rouge XP Security 2012 showed up on my system.

Microsoft Windows XP Home Edition

Version 2002

Service Pack 3

Computer

Intel® Pentium® Dual CPU

E2160 @ 1.80GHz

1.79 GHz, 2.00 GB of RAM

Physical Address Extension

Running McAfee Security Center

My system kept getting all the false security pop-ups then over the period of a hour or so ended up having all the .exe file extensions taken over to so that I couldn't run any antivirus or open any programs. I found a website that recommended for me to check my services.msc , and I found almost everything turned off. I turned on the services again then downloaded and ran Malwarebytes. It found a bunch of problems which it repaired, and my problems appeared to go away.

Yesterday, which is a week later, the XP Security 2012, pop ups came back. I tried running Norton Power Eraser from there website, along with McAfee Stinger, spybotsd162, System Repair Engineer , ect ect ect...... each program seamed to find something. This morning I updated Malwarebytes and turned on the protection module, which for some reason had turned off. I have noticed about every 30 seconds or so since that constant outgoing connections are being detected and stopped by Malwarebytes.

OK , maybe its just me but this has given me the impression that I have been doing nothing but tread water for the last week and this rouge is downloading new infections via this connection faster than i can delete them. UHG!!

Where do I go from here I have no Idea but from what I have read on these forums so far you all seam to be pretty sharp when it comes to these things, Please tell me what to download, and which buttons to push, and I am there.

Here is my present situation as of this morning

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Jeffrey Croy at 13:22:55 on 2011-12-03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1173 [GMT -6:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\windows\system32\svchost -k DcomLaunch

C:\windows\system32\svchost -k rpcss

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\spoolsv.exe

C:\windows\system32\netdde.exe

C:\windows\system32\cisvc.exe

C:\Program Files\Windows Live\Family Safety\fsssvc.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\windows\system32\ntvdm.exe

C:\windows\Explorer.EXE

C:\windows\system32\rundll32.exe

C:\windows\system32\ctfmon.exe

C:\windows\system32\cidaemon.exe

C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\msiexec.exe

C:\windows\system32\taskmgr.exe

C:\windows\System32\ping.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

mStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110518114002.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [LTWinModem1] ltmsg.exe 9

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\malwar~1.lnk - c:\program files\malwarebytes' anti-malware\mbam.exe

IE: Lookup on Merriam Webster

IE: Lookup on Wikipedia

IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

LSP: mswsock.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288920691359

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{A1206095-0C4B-4DA5-84D3-C323F843769F} : DhcpNameServer = 192.168.1.254

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\jeffrey croy\application data\mozilla\firefox\profiles\34ib09as.default\

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60202

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll

FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll

FF - plugin: c:\program files\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 387480]

R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2011-7-19 22312]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-24 84200]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-11-4 54760]

R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-29 366152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-24 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-24 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-24 271480]

R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-24 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-24 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-24 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-24 141792]

R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2011-7-19 31424]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-24 56064]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-29 22216]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-24 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-24 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-24 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-24 88736]

S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-12-25 36608]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2011-8-28 267760]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2011-8-28 218608]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-24 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-24 84488]

S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]

S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-14 136176]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-14 136176]

S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-12-03 17:00:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-12-03 17:00:39 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-12-03 02:40:56 -------- d-----w- c:\program files\SpyZooka

2011-12-03 01:43:07 -------- d-----w- C:\NPE

2011-11-30 03:40:41 -------- d-----w- C:\ERDNT

2011-11-30 01:18:56 -------- d-----w- c:\documents and settings\jeffrey croy\local settings\application data\NPE

2011-11-30 00:29:01 -------- d-----w- C:\TDSSKiller_Quarantine

2011-11-29 22:37:17 -------- d-----w- c:\documents and settings\jeffrey croy\application data\Malwarebytes

2011-11-29 22:37:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-29 22:37:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-29 22:37:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-29 09:28:37 -------- d-----w- c:\windows\pss

2011-11-29 09:21:29 -------- d-----w- c:\documents and settings\all users\application data\Norton

2011-11-28 23:21:41 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2011-11-28 23:21:06 -------- d-----w- c:\program files\common files\xing shared

2011-11-28 23:20:49 150696 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2011-11-28 23:20:34 108544 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2011-11-28 23:20:25 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-28 23:20:25 348160 ----a-w- c:\windows\system32\msvcr71.dll

.

==================== Find3M ====================

.

2011-11-30 00:29:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-05 21:41:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 13:23:51.28 ===============

Link to post
Share on other sites

:welcome:

Sorry about the delay in responding :(

We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can also disable access to the internet when it's been removed.

It will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Thanks for the response. Per your recommendations I changed all passwords, and backed up sensitive data. I was able to get the "Infection/situation" corrected via Malwarebytes e-mail support, using ComboFix. The Support ticket is #198492 . Thanks again for the professional assistance

:welcome:

Sorry about the delay in responding :(

We look for post with 0 replies, so when you posted to your own log, we assumed you were being helped.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can also disable access to the internet when it's been removed.

It will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.