Trojan.FakeAlert.H

AngryToast89 · November 4, 2011

Soooo my girlfriend's housemate's laptop is also infected with form of virus.

I ran ComboFix some time ago (around two weeks ago) which seems to have deleted a whole bunch of stuff (Log below), but the laptop still cannot access anti virus websites and her AV software (Kaspersky) will not install. MBAM detects an .exe file located (C:\Documents and Settings\LocalService\Local Settings\Application Data which I cannot access) and a file in the registry, when MBAM attempts to remove them even after reboot the files remain.

Any help would be appreciated.

DDS Log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Louise Dawson at 23:59:12 on 2011-11-03

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.579 [GMT 0:00]

.

AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\PROGRA~1\LAUNCH~1\LManager.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\WebCam\M3000\M3000Mnt.exe

C:\Documents and Settings\Louise Dawson\My Documents\tinySpell\tinyspell.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Acer\Acer VCM\AcerVCM.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Acer\Acer VCM\RS_Service.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80134&lng=en

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph01104905l0304wui5w57723169

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:elisa.platania@gmail.com

uURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\localservice\local settings\application data\hercmkrf\pkjrwkxv.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ProductReg] c:\program files\acer\wr_popup\ProductReg.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [tinySpell] c:\documents and settings\louise dawson\my documents\tinyspell\tinyspell.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [PkjRwkxv] c:\documents and settings\localservice\local settings\application data\hercmkrf\pkjrwkxv.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\louise dawson\application data\mozilla\firefox\profiles\zjppoa5v.default\

FF - prefs.js: browser.search.selectedEngine - Inbox Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80134&language=en&qkw=

FF - component: c:\documents and settings\louise dawson\application data\mozilla\firefox\profiles\zjppoa5v.default\extensions\inboxcomtoolbar@inbox.com\components\plugins.dll

FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru_bak - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru_bak

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Inbox Toolbar: inboxcomtoolbar@inbox.com - %profile%\extensions\inboxcomtoolbar@inbox.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ffext\linkfilter@kaspersky.ru

.

============= SERVICES / DRIVERS ===============

.

R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]

R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-10-8 475736]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-27 54760]

R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-7-31 237568]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-1 38912]

R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-8-18 145152]

R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\louise~1\locals~1\temp\wvkywhti.sys --> c:\docume~1\louise~1\locals~1\temp\wvkywhti.sys [?]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-31 1684736]

S3 cpuz132;cpuz132;\??\c:\docume~1\aspire\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\aspire\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2011-11-3 53248]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-7-31 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

S4 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S4 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S4 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-31 24064]

S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2011-11-03 23:29:01 505342 ----a-r- c:\documents and settings\louise dawson\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-11-03 23:29:00 -------- d-----w- c:\program files\Trend Micro

2011-11-03 23:10:01 114148 ----a-w- c:\windows\system32\wscntfymgr.exe

2011-11-03 22:57:22 53248 ----a-w- c:\windows\system32\drivers\rk_remover.sys

2011-10-20 15:44:53 -------- d-----w- c:\documents and settings\louise dawson\local settings\application data\Identities

2011-10-08 22:06:12 114148 ----a-w- c:\windows\Explorermgr.exe

2011-10-08 22:04:31 114148 ----a-w- c:\windows\RTHDCPLmgr.exe

2011-10-08 22:01:34 150200 ------w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2011-10-08 21:30:36 -------- d-sha-r- C:\cmdcons

2011-10-08 21:28:08 98816 ----a-w- c:\windows\sed.exe

2011-10-08 21:28:08 518144 ----a-w- c:\windows\SWREG.exe

2011-10-08 21:28:08 256000 ----a-w- c:\windows\PEV.exe

2011-10-08 21:28:08 208896 ----a-w- c:\windows\MBR.exe

2011-10-08 20:45:47 97545 ----a-w- c:\windows\system32\drivers\klick.dat

2011-10-08 20:45:47 115465 ----a-w- c:\windows\system32\drivers\klin.dat

2011-10-08 20:43:23 -------- d-----w- c:\program files\Kaspersky Lab

2011-10-08 20:40:07 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab Setup Files

2011-10-07 21:29:51 114148 ----a-w- c:\windows\system32\igfxpersmgr.exe

2011-10-07 21:29:51 114148 ----a-w- c:\program files\messenger\msmsgsmgr.exe

2011-10-07 21:29:50 114148 ----a-w- c:\windows\system32\igfxtraymgr.exe

2011-10-07 21:29:50 114148 ----a-w- c:\windows\system32\hkcmdmgr.exe

2011-10-07 21:20:14 -------- d-----w- c:\windows\SxsCaPendDel

2011-10-07 20:57:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 20:52:12 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-07 20:52:12 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

.

============= FINISH: 0:00:41.98 ===============

ComboFix Log:

ComboFix 11-10-08.04 - Louise Dawson 08/10/2011 22:32:53.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.626 [GMT 1:00]

Running from: c:\documents and settings\Louise Dawson\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Local Settings\Application Data\dbkkrcoi.log

c:\documents and settings\LocalService\Local Settings\Application Data\ftehebsl.log

c:\documents and settings\LocalService\Local Settings\Application Data\jitwgksj.log

c:\documents and settings\LocalService\Local Settings\Application Data\qlmjxmgu.log

c:\documents and settings\LocalService\Local Settings\Application Data\rcqwtjnr.log

c:\documents and settings\LocalService\Local Settings\Application Data\sygmrqni.log

c:\documents and settings\LocalService\Local Settings\Application Data\vuheafwm.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\dbkkrcoi.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\ftehebsl.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\jitwgksj.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\qlmjxmgu.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\rcqwtjnr.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\sygmrqni.log

c:\documents and settings\Louise Dawson\Local Settings\Application Data\vuheafwm.log

c:\documents and settings\Louise Dawson\My Documents\~WRD4004.tmp

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000023_.tmp.dll

c:\windows\system32\_000024_.tmp.dll

c:\windows\system32\_000025_.tmp.dll

c:\windows\system32\_000026_.tmp.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MICORSOFT_WINDOWS_SERVICE

-------\Service_Micorsoft Windows Service

.

((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))

.

2011-10-08 20:45 . 2011-10-08 20:45 97545 ----a-w- c:\windows\system32\drivers\klick.dat

2011-10-08 20:45 . 2011-10-08 20:45 115465 ----a-w- c:\windows\system32\drivers\klin.dat

2011-10-08 20:43 . 2011-10-08 20:43 -------- d-----w- c:\program files\Kaspersky Lab

2011-10-08 20:40 . 2011-10-08 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2011-10-07 21:29 . 2011-10-08 21:21 114148 ----a-w- c:\windows\system32\igfxpersmgr.exe

2011-10-07 21:29 . 2011-10-08 21:21 114148 ----a-w- c:\program files\Messenger\msmsgsmgr.exe

2011-10-07 21:29 . 2011-10-08 21:21 114148 ----a-w- c:\windows\system32\igfxtraymgr.exe

2011-10-07 21:29 . 2011-10-08 21:21 114148 ----a-w- c:\windows\system32\hkcmdmgr.exe

2011-10-07 21:20 . 2011-10-07 21:31 -------- d-----w- c:\windows\SxsCaPendDel

2011-10-07 20:57 . 2011-10-07 20:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 20:54 . 2011-10-08 21:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\hercmkrf

2011-10-07 20:52 . 2011-10-07 20:52 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2009-08-01 03:16 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-22 20:51 . 2011-07-22 20:51 94208 ----a-w- c:\windows\system32\dpl100.dll

2011-07-15 13:29 . 2009-08-01 03:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2009-04-15 254382]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"tinySpell"="c:\documents and settings\Louise Dawson\My Documents\tinySpell\tinyspell.exe" [2010-08-22 221184]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"M3000Mnt"="M3000Rmv.dll " [X]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 172560]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]

"PCRx"="c:\program files\PCRx\PCRxTray.exe" [2011-09-26 422496]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-7-31 684524]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\hercmkrf\pkjrwkxv.exe"

.

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Aspire^Start Menu^Programs^Startup^Intel iPOS Netbook v1.lnk]

path=c:\documents and settings\Aspire\Start Menu\Programs\Startup\Intel iPOS Netbook v1.lnk

backup=c:\windows\pss\Intel iPOS Netbook v1.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2009-07-31 20:32 24064 ------w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McComponentHostService"=3 (0x3)

"gusvc"=3 (0x3)

"GoogleDesktopManager-080708-050100"=3 (0x3)

"BBUpdate"=2 (0x2)

"BBSvc"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Acer\\Acer VCM\\VC.exe"=

.

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [09/06/2010 16:43 11352]

R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [31/07/2009 22:16 237568]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [07/05/2010 11:06 32856]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/11/2009 19:27 19472]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [01/08/2009 04:16 38912]

R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [18/08/2009 12:42 145152]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [31/07/2009 21:30 1684736]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [31/07/2009 21:25 162816]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S4 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [07/07/2011 19:31 195336]

S4 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [15/06/2011 17:33 249648]

S4 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [31/07/2009 21:32 24064]

S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80134&lng=en

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph01104905l0304wui5w57723169

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:elisa.platania@gmail.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 212.9.118.1

FF - ProfilePath - c:\documents and settings\Louise Dawson\Application Data\Mozilla\Firefox\Profiles\zjppoa5v.default\

FF - prefs.js: browser.search.selectedEngine - Inbox Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80134&language=en&qkw=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru_bak - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Inbox Toolbar: inboxcomtoolbar@inbox.com - %profile%\extensions\inboxcomtoolbar@inbox.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\linkfilter@kaspersky.ru

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-PkjRwkxv - c:\documents and settings\LocalService\Local Settings\Application Data\hercmkrf\pkjrwkxv.exe

AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-08 22:48

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

c:\documents and settings\Louise Dawson\Start Menu\Programs\Startup\pkjrwkxv.exe 114148 bytes executable

C:\pkjrwkxv.exe 114148 bytes executable

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3360)

c:\windows\system32\WININET.dll

c:\documents and settings\Louise Dawson\My Documents\tinySpell\tskh1920.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\wdfmgr.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\WebCam\M3000\M3000Mnt.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxext.exe

.

**************************************************************************

.

Completion time: 2011-10-08 22:54:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-08 21:54

.

Pre-Run: 21,198,393,344 bytes free

Post-Run: 22,653,923,328 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 200305A12F45F432C6E3F07680D2F54D

negster22 · November 4, 2011

Hi and Welcome to the Malwarebytes' forum,

Please delete Combofixexe from your desktop, because we are going to use a NEW version!

Then, run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste) this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

screen317 · November 12, 2011

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

screen317 · November 21, 2011

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

screen317 · November 21, 2011

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Sign In

Trojan.FakeAlert.H

Recommended Posts

AngryToast89

Link to post

Share on other sites

negster22

Link to post

Share on other sites

screen317

Link to post

Share on other sites

screen317

Link to post

Share on other sites

screen317

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information