Jump to content

Fake Anti-malware "security defender"


DebS

Recommended Posts

I've been infected with a fake anti-malware called "security defender". It's designed to look a lot like windows security. I was able to run MBAM with todays definitions and see nothing. I ran dds and when I tried to post to the forum it hijacked me saying I had infections that needed to be cleaned before I could post. I'm working from another computer. Here are the dds logs:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by SiwikMuller at 17:02:33 on 2011-12-09

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.410 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

svchost.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = hxxp://localhost;*.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [gpbqfg] rundll32.exe "c:\documents and settings\siwikmuller\local settings\application data\app\gpbqfg.dll",wmain

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [vptray] c:\program files\navnt\vptray.exe

mRun: [Disk Monitor] c:\program files\lexar media\usb card reader driver v2.1g\Disk_Monitor.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\siwikm~1\startm~1\programs\startup\5f7ede~1.lnk - c:\windows\system32\rundll32.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\5f7ede~1.lnk - c:\windows\system32\rundll32.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {4E7BD74F-2B8D-469E-D7EE-FE6FA781BF33} - hxxp://downloads.netscape.com/search/toolbar/netscape.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1 192.168.1.1

TCP: Interfaces\{757F593B-DB24-4625-A8A6-3B65070ABECA} : DhcpNameServer = 192.168.1.1 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\siwikmuller\application data\mozilla\firefox\profiles\7ipgivmu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en

FF - component: c:\documents and settings\siwikmuller\application data\mozilla\firefox\profiles\7ipgivmu.default\extensions\refractor@developer.mozilla.org\components\prism.dll

FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\siwikmuller\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\siwikmuller\application data\move networks\plugins\npqmp071504000001.dll

FF - plugin: c:\documents and settings\siwikmuller\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\doubletwist\NPPodcast.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2003-7-9 4064]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-7-3 353168]

R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2010-8-4 6656]

R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2000-10-9 7888]

R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2000-10-25 430080]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-2-4 280344]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-9-6 14336]

.

=============== Created Last 30 ================

.

2011-12-09 21:15:43 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a034a5a2-b36c-4721-8517-6404f6c6ce7e}\offreg.dll

2011-12-09 21:12:47 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a034a5a2-b36c-4721-8517-6404f6c6ce7e}\mpengine.dll

2011-12-09 06:26:01 132096 --sha-w- c:\windows\system32\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

2011-12-09 06:26:01 132096 --sha-w- c:\documents and settings\siwikmuller\local settings\application data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

2011-12-09 06:26:01 132096 --sha-w- c:\documents and settings\siwikmuller\application data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

2011-12-09 06:26:01 132096 --sha-w- c:\documents and settings\all users\application data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

2011-12-09 06:26:01 -------- d-----w- c:\documents and settings\siwikmuller\local settings\application data\App

2011-12-09 06:26:01 -------- d-----w- c:\documents and settings\siwikmuller\application data\Security Defender

.

==================== Find3M ====================

.

2011-11-11 21:53:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-06 15:49:17 4550 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 06:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 17:04:12.32 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 7/8/2003 7:50:11 PM

System Uptime: 12/9/2011 4:14:49 PM (1 hours ago)

.

Motherboard: Dell Computer Corporation | | 07W080

Processor: Intel® Pentium® 4 CPU 2.20GHz | Socket 478 | 2192/400mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 9.511 GiB free.

D: is CDROM ()

E: is CDROM ()

G: is FIXED (NTFS) - 233 GiB total, 148.66 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

AAC Decoder

Acrobat.com

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Photoshop Elements 2.0

Adobe Reader 9.4.6

Adobe Shockwave Player 11.5

Adobe Type Manager 4.0

Advanced SystemCare 4

AiO_Scan_CDA

AiOSoftwareNPI

Amazon MP3 Downloader 1.0.5

Anti-Spyware

Any Video Converter 3.2.1

AoA Audio Extractor

AOL Instant Messenger

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AudibleManager

Authentium

AutoUpdate

Avery Wizard 3.1

BACS

Banctec Service Agreement

BCM V.92 56K Modem

BitTornado 0.3.7

Bonjour

Britannica Ready Reference

Broadcom Advanced Control Suite

BufferChm

C3100

c3100_Help

CameraHelperMsi

Compatibility Pack for the 2007 Office system

Creative MediaSource 5

Creative System Information

Creative ZEN Nano Plus

Critical Update for Windows Media Player 11 (KB959772)

DAO

Dell Solution Center

Dell Support

Destinations

DeviceManagementQFolder

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

DocProc

DocProcQFolder

Docudesk GPL Ghostscript 8.15

doubleTwist

Easy CD Creator 5 Basic

erLT

ESET Online Scanner v3

eSupportQFolder

Facebook Plug-In

Fax_CDA

ffdshow [rev 2527] [2008-12-19]

Free M4a to MP3 Converter 5.9

Free Video to MP3 Converter version 4.1

GameHouse Super Games AIO®

GoToMeeting 4.5.0.457

H.264 Decoder

Help and Support Customization

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Imaging Device Functions 7.0

HP Photosmart and Deskjet 7.0.A

HP Photosmart Essential

HP Product Assistant

HP Solution Center 7.0

HP Update

HPPhotoSmartExpress

HPProductAssistant

InstantShareAlert

InstantShareDevicesMFC

Intel® Extreme Graphics Driver

iPod for Windows 2005-02-07

iPod for Windows 2005-10-12

iPod for Windows 2006-06-28

iTunes

Java Auto Updater

Java Web Start

Java 6 Update 29

KODAK DC265 Software

Lexar Media USB Card Reader Driver v2.1g

LiveUpdate

Logitech Vid HD

Logitech Webcam Software

LWS Facebook

LWS Gallery

LWS Help_main

LWS Launcher

LWS Motion Detection

LWS Pictures And Video

LWS Twitter

LWS Video Mask Maker

LWS VideoEffects

LWS Webcam Software

LWS WLM Plugin

LWS YouTube Plugin

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Professional

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MKV Splitter

Modem Helper

Move Media Player

Mozilla Firefox 8.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

MSXML 4.0 SP2 Parser and SDK

Netscape

Netscape (7.1)

NewCopy_CDA

Norton AntiVirus Corporate Edition

OCR Software by I.R.I.S 7.0

Paint Shop Pro 7

PanoStandAlone

ProductContextNPI

QuickTime

Readme

RealPlayer

Scan

ScannerCopy

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Windows (KB2564958)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Encoder (KB2447961)

Security Update for Windows Media Encoder (KB954156)

Security Update for Windows Media Encoder (KB979332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Skype Toolbars

Skype™ 5.1

SmartSound Quicktracks Plugin

SolutionCenter

Spelling Dictionaries Support For Adobe Reader 9

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

SpywareBlaster 4.2

Status

Symantec Technical Support Web Controls

Toolbox

TrayApp

Turbo Lister 2

TweetDeck

Uninstall 1.0.0.1

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

Verizon Online DSL

Verizon PC Security Checkup

Verizon Yahoo! Applications

Viewpoint Media Player (Remove Only)

VPN Client

WebEx

WebFldrs XP

WebReg

Winamp

Windows Defender

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Format SDK Hotfix - KB891122

Windows Media Player 10 Hotfix - KB895316

Windows Media Player 11

Windows XP Service Pack 3

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

THESE ARE THE BAD GUYS:

c:\documents and settings\siwikmuller\local settings\application data\app\gpbqfg.dll",wmain

c:\docume~1\siwikm~1\startm~1\programs\startup\5f7ede~1.lnk - c:\windows\system32\rundll32.exe

c:\docume~1\alluse~1\startm~1\programs\startup\5f7ede~1.lnk - c:\windows\system32\rundll32.exe

See if following this guide works.

There's also an uninstall guide below:

http://www.bleepingcomputer.com/virus-removal/remove-security-defender

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

The link below explains how to rename MBAM if needed:

http://forums.malwarebytes.org/index.php?showtopic=55485&view=findpost&p=274963

Post the logs back here, Good Luck....MrC

Link to post
Share on other sites

Sorry, but it didn't work. Went through the whole thing, looked like MBAM deleted the files, and when I rebooted into normal mode it was back!

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 12/09/2011 at 20:44:04.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 12/09/2011 at 20:44:08.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8345

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/9/2011 9:02:00 PM

mbam-log-2011-12-09 (21-01-59).txt

Scan type: Quick scan

Objects scanned: 188468

Time elapsed: 11 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\siwikmuller\application data\security defender (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\siwikmuller\application data\security defender\{b667d585-8c1f-4444-b884-8c93107aff8e}.pst (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

c:\documents and settings\siwikmuller\application data\security defender\{f3b047b6-4113-448d-cb9c-bc0cc80a67c9}.pst (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Advanced SystemCare 4

http://www.systemlookup.com/Drivers/5068-ASCService_exe.html

I strongly advise you to uninstall this application.

-----------------------------------

Enable Hidden files:

http://www.howtogeek.com/howto/windows/display-hidden-folders-in-xp/

Please locate this file and upload it to VirusTotal for a free scan:

C:\Documents and Settings\SiwikMuller\Local Settings\Application Data\App\gpbqfg.dll

http://www.virustotal.com/

Let me know the results.

-------------------------------

I suspect it's malware, if VirusTotal confirms this please do the following:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKU\S-1-5-21-3818900820-2077995646-4232387374-1006..\Run: [gpbqfg] C:\Documents and Settings\SiwikMuller\Local Settings\Application Data\App\gpbqfg.dll (Microsoft Corporation)


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know, MrC

Link to post
Share on other sites

It took about 2 secs ti run.

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-3818900820-2077995646-4232387374-1006\Software\Microsoft\Windows\CurrentVersion\Run\\gpbqfg deleted successfully.

C:\Documents and Settings\SiwikMuller\Local Settings\Application Data\App\gpbqfg.dll moved successfully.

OTL by OldTimer - Version 3.2.31.0 log created on 12102011_172131

Link to post
Share on other sites

Once again MBAM identifed and removed the malware, and once again it's back when I reboot.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8349

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/10/2011 6:16:48 PM

mbam-log-2011-12-10 (18-16-48).txt

Scan type: Quick scan

Objects scanned: 189858

Time elapsed: 16 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\siwikmuller\application data\security defender (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\siwikmuller\application data\security defender\{992d27de-efd0-4cf5-33a7-829728c82c8d}.pst (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

c:\documents and settings\siwikmuller\application data\security defender\{ba05cf18-ba27-4a9a-2a86-489785baed27}.pst (Rogue.SecurityDefender) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

I think that did the trick.

ComboFix 11-12-10.01 - SiwikMuller 12/10/2011 19:13:53.10.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.432 [GMT -5:00]

Running from: c:\documents and settings\SiwikMuller\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

c:\documents and settings\All Users\Application Data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.ico

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\SiwikMuller\Application Data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

c:\documents and settings\SiwikMuller\g2mdlhlpx.exe

c:\documents and settings\SiwikMuller\Local Settings\Application Data\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

c:\documents and settings\SiwikMuller\My Documents\~WRL0854.tmp

c:\documents and settings\SiwikMuller\WINDOWS

c:\windows\help\wmplayer.bak

c:\windows\iun6002.exe

c:\windows\system32\config\systemprofile\WINDOWS

.

.

((((((((((((((((((((((((( Files Created from 2011-11-11 to 2011-12-11 )))))))))))))))))))))))))))))))

.

.

2011-12-10 23:19 . 2011-12-10 23:19 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A034A5A2-B36C-4721-8517-6404F6C6CE7E}\offreg.dll

2011-12-10 22:21 . 2011-12-10 22:21 -------- d-----w- C:\_OTL

2011-12-09 21:12 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A034A5A2-B36C-4721-8517-6404F6C6CE7E}\mpengine.dll

2011-12-09 06:26 . 2011-12-10 22:21 -------- d-----w- c:\documents and settings\SiwikMuller\Local Settings\Application Data\App

2011-12-09 06:26 . 2011-12-09 06:26 132096 --sha-w- c:\windows\system32\5F7EDECA-4874-A13B-BBD7-F75F2C407067.avi

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-21 10:47 . 2006-05-01 03:42 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-11-11 21:53 . 2011-05-16 22:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-06 15:49 . 2011-11-06 15:49 4550 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-10-10 14:22 . 2004-09-06 13:48 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-03 09:06 . 2010-05-15 21:14 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-10-03 06:37 . 2009-09-13 23:24 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-28 07:06 . 2004-09-06 13:48 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2002-08-29 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2002-08-29 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-03-07 23:57 . 2011-03-07 23:57 289592 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-12-05 17:34 . 2011-07-01 22:55 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"vptray"="c:\program files\NavNT\vptray.exe" [2000-10-09 53248]

"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-17 198160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\documents and settings\SiwikMuller\Start Menu\Programs\Startup\

5F7EDECA-4874-A13B-BBD7-F75F2C407067.lnk - c:\windows\SYSTEM32\rundll32.exe [2004-9-6 33280]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

5F7EDECA-4874-A13B-BBD7-F75F2C407067.lnk - c:\windows\SYSTEM32\rundll32.exe [2004-9-6 33280]

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-1-24 49254]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-29 113664]

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-2-4 1528880]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [7/9/2003 7:07 PM 4064]

R2 iPodDrv;iPodDrv;c:\windows\SYSTEM32\DRIVERS\iPodDrv.sys [8/4/2010 4:41 PM 6656]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [9/6/2004 8:46 AM 14336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]

.

2011-12-10 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2009-09-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy2\SpybotSD.exe [2009-01-22 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = hxxp://localhost;*.local

TCP: DhcpNameServer = 192.168.1.1 192.168.1.1

FF - ProfilePath - c:\documents and settings\SiwikMuller\Application Data\Mozilla\Firefox\Profiles\7ipgivmu.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Lexar Media USB Card Reader Driver - c:\windows\iun6002.exe

AddRemove-v2.1g - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-10 19:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(996)

c:\windows\System32\NavLogon.dll

.

Completion time: 2011-12-10 19:26:20

ComboFix-quarantined-files.txt 2011-12-11 00:26

.

Pre-Run: 10,179,305,472 bytes free

Post-Run: 10,521,886,720 bytes free

.

- - End Of File - - 7DEE90F436C59DFD82ACE8017C8CD03D

Link to post
Share on other sites

Good :)

Just manually delete these:

c:\documents and settings\SiwikMuller\Start Menu\Programs\Startup\

5F7EDECA-4874-A13B-BBD7-F75F2C407067.lnk

c:\documents and settings\All Users\Start Menu\Programs\Startup\

5F7EDECA-4874-A13B-BBD7-F75F2C407067.lnk

------------------

Then Update and run a Quick scan with MBAM, post back the report and let me know how it is.

MrC

Link to post
Share on other sites

All clean!

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8352

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/11/2011 3:25:18 PM

mbam-log-2011-12-11 (15-25-18).txt

Scan type: Quick scan

Objects scanned: 189599

Time elapsed: 23 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Great :rolleyes:

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

-----------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, Have a Great Holiday and New Year!, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.