keygen.exe Alert

[DeeMee]

Hello,

I received an alert from Superantispyware that there was a keygen.exe that needed to be deleted from my machine. This was received after I ran Malwarebytes. My mother has had this machine approximately two weeks. We bought is as an extra machine for others in the residence. The nonprofit that sold the computer to us assured us that the unit had been reformatted and loaded with a copy of WinXP Pro. I rather doubt that since I've found too many other things on the computer like copies of IObit etc. In any case your help in making sure that this unit is clean would be greatly appreciated

Here is a Malwarbytes scan and a DDS scan:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.25.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

David :: DELL-64BFA9CE46 [administrator]

7/25/2012 6:01:54 PM

mbam-log-2012-07-25 (18-01-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 252629

Time elapsed: 12 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

================================================================================

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.0

Run by David at 18:20:12 on 2012-07-25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.572 [GMT -5:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: COMODO Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe

C:\WINDOWS\system32\wscntfy.exe

.

============== Pseudo HJT Report ===============

.

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342722022734

DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab

TCP: Interfaces\{47873C58-5B33-4269-885E-095D8D281F5D} : NameServer = 208.67.222.222,208.67.220.220

Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\david\application data\mozilla\firefox\profiles\2yhhxs5l.default\

FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\npMSDM.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

============= SERVICES / DRIVERS ===============

.

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2012-6-12 16064]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-6-12 721000]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-6-12 353688]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-6-30 494968]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-6-30 31704]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-6-12 21256]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-6-12 44808]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-6-30 1983232]

R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2012-6-12 224960]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-7-19 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-21 250056]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-7-19 136176]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-19 113120]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-07-25 18:55:18 -------- d-----w- c:\documents and settings\david\application data\SUPERAntiSpyware.com

2012-07-25 18:54:42 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-25 18:54:42 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-07-25 18:40:49 -------- d-----w- c:\documents and settings\david\application data\ElevatedDiagnostics

2012-07-19 22:03:24 -------- d-----w- c:\documents and settings\all users\application data\WEBREG

2012-07-19 21:59:12 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll

2012-07-19 21:59:12 117760 ----a-w- c:\windows\system32\hpzll5mu.dll

2012-07-19 21:47:40 -------- d-----w- c:\program files\Yahoo!

2012-07-19 21:43:54 -------- d-----w- c:\program files\common files\HP

2012-07-19 21:43:22 271704 ----a-w- c:\windows\system32\hpzids01.dll

2012-07-19 21:43:11 -------- d-----w- c:\program files\HP

2012-07-19 21:26:36 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2012-07-19 21:26:36 21504 ----a-w- c:\windows\system32\hidserv.dll

2012-07-19 21:23:32 21504 ----a-w- c:\windows\system32\SET7.tmp

2012-07-19 21:23:26 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2012-07-19 21:23:10 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2012-07-19 21:23:10 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2012-07-19 21:23:02 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys

2012-07-19 21:23:02 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

2012-07-19 19:45:53 -------- d-----w- c:\program files\WOT

2012-07-19 15:51:30 1611 ----a-w- c:\windows\system32\drivers\etc\mvps.bat

.

==================== Find3M ====================

.

2012-07-19 01:59:38 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-07-12 17:54:03 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-12 17:54:03 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr

2012-06-21 08:12:27 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-06-12 16:19:20 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys

2012-06-12 16:19:08 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys

2012-06-12 16:19:02 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys

2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll

2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll

2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec

2012-05-05 00:29:22 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-05-05 00:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 18:23:24.79 ===============

[Maniac]

Hello DeeMee! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[DeeMee]

Here you go:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=cc160596c40aed4c8c5cd4898bf2a11a

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-07-26 01:32:19

# local_time=2012-07-26 08:32:19 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 2119597 2119597 0 0

# compatibility_mode=3073 16777213 80 71 2146087 18796316 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=37604

# found=0

# cleaned=0

# scan_time=2262

[Maniac]

Looks good.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

[DeeMee]

There was no a Detected Threads report. Scan was clean.

Automatic Scan: completed 7 minutes ago (events: 156246, objects: 156851, time: 01:37:05)

7/26/2012 6:40:00 PM Task completed

Scan was 17 MB. I could not attach and upload. If you like I can cut and paste the whole thing.

[Maniac]

I don't need it in this case. How is your PC now?

[DeeMee]

It is working fine. I have run additional online scans and have not picked up anything. It does take a little time to load after logging in, approxiamately 4-5 minutes on completion, but once it loads it runs fine. I can use it before that--towards the back end--but it is more stable if I wait until it completes loading and before I click on say, IE. Unfortunately, I can't gage loading since I upgraded the RAM substantially and didn't find out about the Trojan until after upgrading.

However, XP loads lower than 7, therefore as long as you do not think that it is not a malware related issue then this will be fine.

[DeeMee]

There is a typo the last sentence should read: "However, XP loads slower than 7, therefore as long as you do not think that it is not a malware related issue then this will be fine.

[DeeMee]

Ok, lets try this again, because I do not wake up before 10:00 am.

There is a typo in the last sentence. It should have been written: "However, XP loads slower than 7, therefore as long as you do not think that it is a malware related issue, her unit is running great.

[Maniac]

I suggest you to try these instructions here:

http://forums.malwarebytes.org/index.php?showtopic=81990

[DeeMee]

Thanks, I will give it a try although I am aware of most of the tools listed by the link. Do you think that the unit is clean?

[Maniac]

Your system seems to be clean. About the tools, would never be offered anything here, if indeed it is not efficient.

[DeeMee]

Thanks a lot for your help. I learn a lot from working with you guys. I hope to donate something in the future and will certainly consider becoming a paying customer. However, most of the people that I work with are underprivileged therefore it is difficult to justify the cost. It is getting to the point that i may have to.or consider a Linux distro. I will make a decision before the fall on which path we will follow.

Best regards,

[Maniac]

Glad I could help!

Please uninstall ESET Online Scanner and manually delete Kaspersky AVP and DDS.

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379

Safe surfing!

[DeeMee]

Very Cool Link and well organized website. I will pass it along to any newbies that wants to know how to be safe on the web. Thanks a lot for all your help.

:)

[Maniac]

You're welcome!

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.