Jump to content

MainConceptDV.dll/Trojan.FakeAlert.H


Recommended Posts

As requested..

MBAM log

Malwarebytes' Anti-Malware 1.40

Database version: 2561

Windows 5.1.2600 Service Pack 3

8/5/2009 8:21:41 AM

mbam-log-2009-08-05 (08-21-39).txt

Scan type: Quick Scan

Objects scanned: 110754

Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{b83996bb-1e45-4b99-9a21-948da8d6427f} (Trojan.FakeAlert.H) -> No action taken. [52686679398083396676703477708385091810013986796885748079]

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mainconceptdv (Trojan.FakeAlert.H) -> No action taken. [52686679398083396676703477708385091810013986796885748079]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\Common Files\MainConcept\MainConceptDV.dll (Trojan.FakeAlert.H) -> No action taken. [52686679398083396676703477708385091810013986796885748079]

Unfortunately the log where I actually clicked "remove selected" is nowhere to be found. The Log tab in MBAM only lists logs which are 2 months old.. The files/reg entries now safely sit in quarantine, no problems there.

Hijack This log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:10:47 AM, on 8/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\gMote\gmote.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Opera\opera.exe

C:\Program Files\Pidgin\pidgin.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Klient\Klient.exe

C:\Program Files\Altap Salamander 2.52\salamand.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [gmote] C:\Program Files\gMote\gmote.exe

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Administrator\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A50FCA5-CFA1-420C-B042-04282E00404D}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0A50FCA5-CFA1-420C-B042-04282E00404D}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{0A50FCA5-CFA1-420C-B042-04282E00404D}: NameServer = 192.168.1.1

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--

End of file - 5614 bytes

Performed a systems scan in AVG 8.5, no threats found.

Link to post
Share on other sites

  • Staff

Hi,

From what I understand, you already removed what mbam found? Because your HijackThislog doesn't display the ShellServiceObjectDelayLoad subvalue in the log anymore.

In anyway, I'm sure this was no false positive...

Also do next to see if there are other traces present...

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

Link to post
Share on other sites

From what I understand, you already removed what mbam found? Because your HijackThislog doesn't display the ShellServiceObjectDelayLoad subvalue in the log anymore.

In anyway, I'm sure this was no false positive...

Yes.. :) I was googling things, trying to find out what this DLL was. Decided to remove it just to be sure, i was getting paranoid. :-) It was then when I read your advise about HiJack This etc.

I could unquarantine the 3 items and re-run Hijack This, if that would be helpful for you?

DDS.TXT

DDS (Ver_09-07-30.01) - NTFSx86

Run by Administrator at 12:13:34.34 on Wed 08/05/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1256 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Sygate\SPF\smc.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\gMote\gmote.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\Opera\opera.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Klient\Klient.exe

C:\Program Files\Altap Salamander 2.52\salamand.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Pidgin\pidgin.exe

D:\1\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

uRun: [gmote] c:\program files\gmote\gmote.exe

mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [smcService] c:\progra~1\sygate\spf\smc.exe -startgui

mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: SpecifyDefaulTTntButtons = 1 (0x1)

uPolicies-explorer: Btn_Back = 1 (0x1)

uPolicies-explorer: Btn_Forward = 1 (0x1)

uPolicies-explorer: Btn_Stop = 1 (0x1)

uPolicies-explorer: Btn_Refresh = 1 (0x1)

uPolicies-explorer: Btn_Home = 2 (0x2)

uPolicies-explorer: Btn_Search = 2 (0x2)

uPolicies-explorer: Btn_Favorites = 2 (0x2)

uPolicies-explorer: Btn_History = 1 (0x1)

uPolicies-explorer: Btn_Media = 2 (0x2)

uPolicies-explorer: Btn_Folders = 2 (0x2)

uPolicies-explorer: Btn_Fullscreen = 2 (0x2)

uPolicies-explorer: Btn_MailNews = 2 (0x2)

uPolicies-explorer: Btn_Size = 2 (0x2)

uPolicies-explorer: Btn_Print = 2 (0x2)

uPolicies-explorer: NoAutoUpdate = 1 (0x1)

uPolicies-explorer: NoEntireNetwork = 1 (0x1)

uPolicies-explorer: MaxRecentDocs = 0 (0x0)

uPolicies-explorer: NoActiveDesktopChanges = 00000000

uPolicies-explorer: NoThemesTab = 0 (0x0)

uPolicies-system: HideLogonScripts = 0 (0x0)

uPolicies-system: NoDispAppearancePage = 0 (0x0)

uPolicies-system: NoColorChoice = 0 (0x0)

uPolicies-system: NoSizeChoice = 0 (0x0)

uPolicies-system: NoVisualStyleChoice = 0 (0x0)

uPolicies-system: NoDispSettingsPage = 0 (0x0)

mPolicies-explorer: NoEncryptOnMove = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

IE: Add to WebSite-Watcher - c:\documents and settings\administrator\application data\aignes\website-watcher\config\settings\wswie.htm

IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flash capture\fciext.dll/FCIEXT.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll

IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

TCP: {0A50FCA5-CFA1-420C-B042-04282E00404D} = 192.168.1.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\0d0hmj3h.default\

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll

FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll

FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll

FF - plugin: c:\program files\opera\program\plugins\NPSWF32_back.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2004-6-29 7680]

R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2008-10-25 125952]

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2009-5-10 77312]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-5 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-5 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-5 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-5 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-5 297752]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-7-3 136704]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-7-3 8320]

S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-5-18 42512]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-11 79888]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-5-11 31952]

S4 6EyKti;6EyKti;c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s [?]

S4 TzBaEr;TzBaEr;c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s [?]

S4 vsdatant;vsdatant; [x]

============== File Associations ===============

txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-08-05 10:02 <DIR> --d-h--- C:\$AVG8.VAULT$

2009-08-05 09:32 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-08-05 09:32 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-08-05 09:32 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-05 09:31 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-08-05 09:31 <DIR> --d----- c:\program files\AVG

2009-08-05 09:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8

2009-08-05 09:06 <DIR> --d----- c:\program files\MSECache

2009-08-04 02:18 <DIR> --d----- c:\docume~1\admini~1\applic~1\aignes

2009-08-04 02:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\Thinstall

2009-08-04 01:54 <DIR> --d----- c:\program files\IEPro

2009-08-04 01:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\IEPro

2009-08-04 01:45 <DIR> --d----- c:\program files\common files\MainConcept

2009-08-03 07:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\Ubisoft

2009-07-31 06:22 529 a------- c:\windows\eReg.dat

2009-07-28 19:50 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll

2009-07-28 19:50 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat

2009-07-28 19:50 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui

2009-07-28 19:50 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll

2009-07-28 19:50 380,928 -------- c:\windows\system32\dllcache\ieapfltr.dll

2009-07-28 19:50 268,288 -------- c:\windows\system32\dllcache\iertutil.dll

2009-07-28 19:50 63,488 -------- c:\windows\system32\dllcache\icardie.dll

2009-07-28 19:50 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-07-28 19:50 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-07-28 19:44 <DIR> --d----- c:\program files\MSXML 4.0

2009-07-27 12:56 <DIR> --d----- c:\docume~1\admini~1\applic~1\NoNameScript

2009-07-26 21:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2009-07-26 21:47 301,656 a------- c:\windows\system32\BtCoreIf.dll

2009-07-26 21:47 170,512 a------- c:\windows\system32\kemutb.dll

2009-07-26 21:47 141,840 a------- c:\windows\system32\KemUtil.dll

2009-07-26 21:47 117,264 a------- c:\windows\system32\KemWnd.dll

2009-07-26 21:47 76,304 a------- c:\windows\system32\KemXML.dll

2009-07-26 14:49 <DIR> --d----- c:\program files\mIRC

2009-07-26 14:49 <DIR> --d----- c:\docume~1\admini~1\applic~1\mIRC

2009-07-26 07:33 <DIR> --d----- c:\program files\Trend Micro

2009-07-25 04:55 5,120 a------- c:\windows\system32\sleep.exe

2009-07-25 04:52 <DIR> --d----- c:\program files\Windows Resource Kits

2009-07-25 04:21 <DIR> --d----- c:\program files\GnuWin32

2009-07-19 04:37 45 a------- c:\windows\system32\initdebug.nfo

2009-07-19 04:37 <DIR> --d----- c:\program files\SpeedFan

2009-07-19 04:35 288 a------- c:\windows\silenceexplorer.INI

2009-07-19 04:34 288 a------- c:\windows\sfscsitest.INI

2009-07-19 04:14 306,688 a------- c:\windows\IsUninst.exe

2009-07-19 04:13 4,585 a------- c:\windows\Ascd_tmp.ini

2009-07-19 04:13 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS

2009-07-19 04:12 36,864 a------- c:\windows\system32\drivers\AmdK8.sys

2009-07-19 04:05 962,612 a------- c:\windows\system32\mfc42d.dll

2009-07-19 04:05 434,252 a------- c:\windows\system32\MSVCRTD.DLL

2009-07-19 04:05 24,576 a------- c:\windows\system32\AsIO.dll

2009-07-19 04:05 12,400 a------- c:\windows\system32\drivers\AsIO.sys

2009-07-19 04:05 <DIR> --d----- c:\program files\ASUS

2009-07-19 02:12 <DIR> --d----- c:\program files\CPUID

2009-07-19 01:59 25,992 a------- c:\windows\system32\pgdfgsvc.exe

2009-07-19 01:35 <DIR> --d----- c:\program files\PageDefrag

2009-07-19 01:32 <DIR> --d----- c:\program files\Kg

2009-07-19 01:28 <DIR> --d----- c:\program files\UPHClean

2009-07-19 01:21 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL

2009-07-19 00:44 <DIR> --d----- c:\docume~1\admini~1\applic~1\HandBrake

2009-07-18 10:11 <DIR> --d----- c:\documents and settings\all users\AdobeTemp

2009-07-18 07:59 <DIR> --d----- c:\program files\gMote

2009-07-18 05:37 <DIR> --d----- c:\docume~1\admini~1\applic~1\IrfanView

2009-07-13 03:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\GrabPro

2009-07-13 03:16 <DIR> --d----- c:\windows\Ask & Record Toolbar

2009-07-13 03:16 <DIR> --d----- c:\program files\Ask & Record Toolbar

2009-07-13 03:12 39,424 a------- c:\windows\zipinst.exe

2009-07-13 03:12 <DIR> --d----- c:\program files\WebVideoCap

2009-07-13 03:01 85,504 a------- c:\windows\system32\ff_vfw.dll

2009-07-13 03:01 547 a------- c:\windows\system32\ff_vfw.dll.manifest

2009-07-13 02:52 <DIR> --d----- c:\program files\Jaksta

2009-07-13 01:51 <DIR> --d----- c:\windows\Replay Converter 3

2009-07-13 01:41 1,936,528 a------- c:\windows\system32\ltmm15.dll

2009-07-13 01:41 135,168 a------- c:\windows\system32\DSKernel2.dll

2009-07-13 01:39 737,280 a------- c:\windows\iun6002.exe

2009-07-13 01:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\GetRightToGo

2009-07-13 01:33 <DIR> --d----- c:\program files\Replay AV 8

2009-07-13 01:06 <DIR> --d----- c:\program files\Flash Favorite

2009-07-12 23:43 <DIR> --d----- c:\program files\TeamViewer

2009-07-12 23:39 <DIR> --d----- c:\docume~1\admini~1\applic~1\TeamViewer

2009-07-12 23:39 <DIR> --d----- c:\documents and settings\administrator\temp

2009-07-11 04:05 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-01 23:02 281,760 a------- c:\windows\system32\drivers\atksgt.sys

2009-08-01 23:02 25,888 a------- c:\windows\system32\drivers\lirsgt.sys

2009-07-19 19:03 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll

2009-07-19 01:21 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS

2009-07-19 01:21 361,600 a------- c:\windows\system32\dllcache\TCPIP.SYS

2009-07-11 04:05 410,984 a------- c:\windows\system32\deploytk.dll

2009-07-03 15:54 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf

2009-07-03 15:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf

2009-06-29 13:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2009-06-29 10:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe

2009-06-29 10:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2009-06-16 16:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 16:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-16 16:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll

2009-06-16 16:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll

2009-06-05 13:53 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys

2009-06-03 21:09 1,291,264 a------- c:\windows\system32\quartz.dll

2009-06-03 21:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

2009-05-29 23:37 205,824 a------- c:\windows\system32\xvidvfw.dll

2009-05-29 23:31 881,664 a------- c:\windows\system32\xvidcore.dll

2009-05-18 06:27 240,240 a------- c:\windows\system32\wpcap.dll

2009-05-18 06:27 88,704 a------- c:\windows\system32\packet.dll

2009-05-18 00:15 3,370,768 a------- c:\windows\system32\VFP6R.DLL

2009-05-18 00:15 875,520 a------- c:\windows\system32\VFP6RENU.DLL

2009-05-18 00:15 57,344 a------- c:\windows\system32\vbame.dll

2009-05-18 00:15 24,990 a------- c:\windows\system32\VFP6RUN.EXE

2009-05-16 03:21 19,558 a------- c:\windows\hpoins01.dat

2009-05-11 12:47 1,302,600 a------- c:\windows\system32\WUDFUpdate_01007.dll

2009-05-10 18:21 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2009-05-09 07:25 12,736 a---h--- c:\windows\system32\mlfcache.dat

2009-05-09 06:41 21,640 a------- c:\windows\system32\emptyregdb.dat

2009-05-07 17:32 345,600 a------- c:\windows\system32\localspl.dll

2009-05-07 17:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll

============= FINISH: 12:13:48.56 ===============

Attach.rar

Attach.rar

Link to post
Share on other sites

  • Staff

No need to dequarantine the file - it's malware. This one creates a random named folder in the Common Files subfolder and drops dll in there with the same name. In your case it was C:\Program Files\Common Files\MainConcept\MainConcept.dll

So please delete the folder: C:\Program Files\Common Files\MainConcept

Let me know in your next reply how things are now.

Link to post
Share on other sites

No need to dequarantine the file - it's malware. This one creates a random named folder in the Common Files subfolder and drops dll in there with the same name. In your case it was C:\Program Files\Common Files\MainConcept\MainConcept.dll

So please delete the folder: C:\Program Files\Common Files\MainConcept

Let me know in your next reply how things are now.

Can you tell me anything about what it actually does? I noticed the filedate on the file was from yesterday, does this mean this is probably when I got infected? Would like to know where I got this from..

I'll keep an eye out!

Link to post
Share on other sites

  • Staff

I can't tell either where you got it from, but it makes sense you got infected yesterday since the date of the folder is also from yesterday.

Also, it may be a good idea to change passwords since they may be known.

And...

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

When I right-click the DLL and choose "Scan with Malware-bytes" it does not find anything wrong with the file, is this normal behaviour? Is it the combo of registry values and DLL which alerts Malwarebytes to this Trojans presence?

Your blog has some handy links, I'm going through them now - cheers!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.