Jump to content

Recommended Posts

Hello,

Have a client with Windows 7 on an Acer Aspire One D250.

She had gotten the rogue fake spyware tool called SecurityTool on her unit.

Obviously with it running I couldn't run anything to clean it as it blocked everything. I simply rebooted the PC and fired up task manager and killed the cryptic EXE before it could get control of the sytem. Then I was able to run malwarebytes to clean it.

I have clean the system with Malwarebytes 1.46 and Database version 4052 and it appears everything is good to go.

HOWEVER... I am getting messages where it is blocking access to certain IP addresses. I have run a reverse DNS check on them and none of them provide any real results other than country of origin. One was Pakistan, one was China, and I think a couple of others.

What I need is some help to determine if there really is something still on the system or is this normal updates from applications on the system. I very seriously doubt the Pakistan one is something valid.

I am following the instructions from this link:

http://forums.malwarebytes.org/index.php?showtopic=46849&hl=sound

I will post the results of the protection log, Quickscan Log, the DDS.txt, the Attach.txt, and the GMER results shortly.

Greg

Link to post
Share on other sites

I will post the results of the protection log, Quickscan Log, the DDS.txt, the Attach.txt, and the GMER results shortly.

Greg

This customer has a paid version...with active protection. BUT did not have it when they got infected.

Below you will find the QuickScan done where some things were found with 1.45 on 04/27/10

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4043

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

4/27/2010 8:29:12 PM

mbam-log-2010-04-27 (20-29-12).txt

Scan type: Quick scan

Objects scanned: 105457

Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93407629 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71962833 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\ProgramData\93407629 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\ProgramData\71962833 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\ProgramData\93407629\93407629.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\ProgramData\71962833\71962833.ini (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Users\Nikki\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Users\Nikki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

Here is the latest one done again with 1.46 today:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4057

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

5/1/2010 12:12:31 PM

mbam-log-2010-05-01 (12-12-31).txt

Scan type: Quick scan

Objects scanned: 114737

Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the DDS.txt file. It was done after the initial cleanings:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Nikki at 4:09:22.88 on Wed 04/28/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1014.272 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

C:\Program Files\Acer\Registration\GregHSRW.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Auslogics\Auslogics Disk Defrag\DiskDefrag.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\svchost.exe -k defragsvc

C:\Windows\system32\taskhost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe

C:\Installs\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094145l0374ww45w47723089

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094145l0374ww45w47723089

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=27b512094145l0374ww45w47723089

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\program files\launch manager\LManager.exe

mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]

R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2009-8-18 727584]

R2 Greg_Service;GRegService;c:\program files\acer\registration\GregHSRW.exe [2009-6-4 1150496]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-28 303952]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-8-18 253952]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-27 1153368]

R2 Updater Service;Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2009-8-18 240160]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-8-18 51712]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-28 20824]

S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-9-6 29472]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-18 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-18 40552]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-18 167424]

=============== Created Last 30 ================

2010-04-28 06:29:24 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-04-28 06:15:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-28 06:15:38 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 06:15:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-28 04:12:14 0 d--h--w- c:\windows\AxInstSV

2010-04-28 03:52:31 0 d-----w- c:\programdata\Office Genuine Advantage

2010-04-28 03:44:09 0 d-----w- c:\windows\system32\x64

2010-04-28 03:40:34 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-04-28 02:34:30 0 d-----w- c:\program files\CCleaner

2010-04-28 02:06:50 1037312 ----a-w- c:\windows\system32\lsasrv.dll

2010-04-28 02:06:48 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-04-28 01:56:12 0 d-----w- c:\users\nikki\appdata\roaming\Auslogics

2010-04-28 01:55:57 0 d-----w- c:\program files\Auslogics

2010-04-28 01:53:39 0 d-----w- c:\program files\Blue Coat K9 Web Protection

2010-04-28 00:04:49 0 d-----w- c:\programdata\Spybot - Search & Destroy

2010-04-28 00:04:49 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-04-28 00:02:24 0 d---a-w- c:\programdata\TEMP

2010-04-28 00:02:15 0 d-----w- c:\program files\SpywareBlaster

2010-04-28 00:01:34 0 d-----w- c:\users\nikki\appdata\roaming\Malwarebytes

2010-04-28 00:01:17 0 d-----w- c:\programdata\Malwarebytes

2010-04-27 23:43:32 0 d-----w- C:\Installs

2010-04-27 23:40:57 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-04-23 01:38:51 8212 ----a-w- c:\windows\mfebcdata

2010-04-14 02:11:13 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-04-14 02:11:12 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-04-14 02:11:11 427520 ----a-w- c:\windows\system32\vbscript.dll

2010-04-14 02:11:09 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2010-04-14 02:11:09 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-04-14 02:11:09 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-04-13 23:18:31 172032 ----a-w- c:\windows\system32\wintrust.dll

2010-04-13 23:18:29 132608 ----a-w- c:\windows\system32\cabview.dll

2010-04-09 03:03:34 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf

2010-04-02 14:33:19 193 ----a-w- c:\windows\WORDPAD.INI

2010-04-01 04:04:34 977920 ----a-w- c:\windows\system32\wininet.dll

==================== Find3M ====================

2010-04-28 04:35:18 53248 ----a-w- c:\windows\system32\CSVer.dll

2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-01-12 23:12:10 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat

2010-01-12 23:12:10 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat

2010-01-12 23:12:10 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat

2010-01-26 12:10:29 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 4:10:51.18 ===============

Here is the Attach.txt file:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Starter

Boot Device: \Device\HarddiskVolume2

Install Date: 12/25/2009 7:18:58 AM

System Uptime: 4/28/2010 2:10:41 AM (2 hours ago)

Motherboard: Acer | | Aspire one

Processor: Intel® Atom CPU N280 @ 1.66GHz | CPU | 1333/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 221 GiB total, 195.429 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: McAfee Inc. mfewfpk

Device ID: ROOT\LEGACY_MFEWFPK\0000

Manufacturer:

Name: McAfee Inc. mfewfpk

PNP Device ID: ROOT\LEGACY_MFEWFPK\0000

Service: mfewfpk

==== System Restore Points ===================

RP12: 2/3/2010 9:22:05 PM - Scheduled Checkpoint

RP14: 2/10/2010 1:22:29 PM - Windows Modules Installer

RP15: 2/10/2010 1:23:29 PM - Windows Modules Installer

RP16: 2/10/2010 1:24:20 PM - Windows Modules Installer

RP17: 2/18/2010 10:48:00 PM - Scheduled Checkpoint

RP18: 2/25/2010 6:45:15 AM - Windows Update

RP19: 3/5/2010 1:21:53 PM - Scheduled Checkpoint

RP20: 3/11/2010 7:10:31 AM - Windows Update

RP21: 3/18/2010 10:57:38 PM - Scheduled Checkpoint

RP23: 3/26/2010 10:13:28 PM - Windows Modules Installer

RP25: 4/1/2010 5:25:25 PM - Windows Modules Installer

RP26: 4/8/2010 9:27:15 PM - Scheduled Checkpoint

RP27: 4/14/2010 6:14:27 PM - Windows Update

RP28: 4/27/2010 7:57:54 PM - Installed WOT for Internet Explorer

RP29: 4/27/2010 10:37:50 PM - Removed WOT for Internet Explorer

RP30: 4/27/2010 10:53:12 PM - Removed MyWinLocker.

RP31: 4/27/2010 11:40:00 PM - Windows Update

RP32: 4/28/2010 2:28:57 AM - Windows Update

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)

Acer Assist

Acer Crystal Eye webcam Ver:1.1.81.402

Acer ePower Management

Acer eRecovery Management

Acer Games

Acer Registration

Acer ScreenSaver

Acer Updater

Acer VCM

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.1 MUI

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Auslogics Disk Defrag

Blue Coat

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.