Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows Security Center


  • This topic is locked This topic is locked
3 replies to this topic

#1 Chimmyt0s

Chimmyt0s

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 20 May 2008 - 02:05 AM

A couple of weeks ago I misspelled a web address and it was done. The fake Windows Security Center started giving me lots of errors, like "***STOP: 0x01C0107B (0x0A140184, 0xFC3034)*** (...) Click balloon to fix problem".
It also tells me to install three "security essentials"; UltimateFixer, SystemDefender and SysCleaner.
Every once in a while there is an error message that says something did something and the system will reboot in 60 seconds.
This is getting really annoying, because if Im not by my computer at all time and can stop the shutdown (start -> run -> shutdown -a, which has been a great help) the system reboots and I have to start up all the stuff I was working on again.



Here is the main log from CSS (it didnt create the extra file..):

Deckard's System Scanner v20071014.68
Run by Torfinn on 2008-05-20 08:32:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Torfinn.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:32:15, on 20.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programfiler\NavNT\defwatch.exe
C:\Programfiler\FileZilla Server\FileZilla Server.exe
C:\Programfiler\Dell\OpenManage\Client\Iap.exe
C:\Programfiler\lotus\notes\ntmulti.exe
C:\Programfiler\NavNT\rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Evoluent\VMouse\EvoMouExec.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Programfiler\lotus\notes\NLNOTES.EXE
C:\Programfiler\IBM\Client Access\Emulator\pcsws.exe
C:\Programfiler\IBM\Client Access\Emulator\pcsws.exe
C:\Programfiler\IBM\Client Access\Emulator\PCSCM.EXE
C:\Programfiler\IBM\Client Access\Emulator\pcsws.exe
C:\Programfiler\IBM\Client Access\Emulator\pcsws.exe
C:\Programfiler\lotus\notes\ntaskldr.EXE
C:\Documents and Settings\Torfinn\Skrivebord\dss.exe
C:\HIJACK~1\Torfinn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 63.149.98.43:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Evoluent Mouse Manager.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://noeiv400:1045/exposer/jre/jre-1_5_0...dows-i586-p.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1183111602437
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E62082F-466D-4A85-8AD3-7190EA4759C8}: NameServer = 217.13.4.24,217.13.7.140
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: bncywshf - C:\WINDOWS\SYSTEM32\bncywshf.dll
O23 - Service: Microsoft DDE+ server (945774f2) - Unknown owner - C:\WINDOWS\system32\.945774f2\945774f2.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Fjernkommando i iSeries Access for Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Programfiler\NavNT\defwatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Programfiler\FileZilla Server\FileZilla Server.exe
O23 - Service: Iap - Dell Inc - C:\Programfiler\Dell\OpenManage\Client\Iap.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Programfiler\lotus\notes\ntmulti.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programfiler\NavNT\rtvscan.exe

--
End of file - 5966 bytes

-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-16 13:12:43 0 d-------- C:\Programfiler\Evoluent
2008-05-15 08:24:42 0 d-------- C:\HiJackThis
2008-05-14 12:38:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-09 16:22:43 1239375 --a------ C:\MGtools.exe
2008-05-09 16:17:33 0 d-------- C:\removal
2008-05-09 16:10:28 0 d-------- C:\Programfiler\CCleaner
2008-05-09 15:43:39 0 d-------- C:\Programfiler\Java
2008-05-09 15:43:22 0 d-------- C:\Programfiler\Fellesfiler\Java
2008-05-09 15:10:51 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-09 15:10:51 2554 --a------ C:\WINDOWS\unins000.dat
2008-05-08 14:15:54 0 d-------- C:\WINDOWS\CSC
2008-05-08 14:11:44 318 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-07 08:30:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-07 08:30:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-07 08:30:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-07 08:30:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-07 08:30:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 08:30:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-07 08:30:53 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-07 08:30:53 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 15:11:16 0 d-------- C:\WINDOWS\pss
2008-05-06 13:15:40 0 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-05-06 08:32:43 0 d--h----- C:\$AVG8.VAULT$
2008-05-06 08:26:48 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-06 08:26:35 0 d-------- C:\Programfiler\AVG
2008-05-06 08:12:19 249856 --a------ C:\WINDOWS\system32\bncywshf.dll
2008-05-06 08:11:57 0 d--h----- C:\WINDOWS\system32\.945774f2


-- Find3M Report ---------------------------------------------------------------

2008-05-13 08:24:36 0 d-------- C:\Documents and Settings\Torfinn\Programdata\AdobeUM
2008-05-09 15:43:22 0 d-------- C:\Programfiler\Fellesfiler
2008-05-09 15:13:24 0 d-------- C:\Programfiler\Fellesfiler\EPSON
2008-05-09 15:07:18 0 d-------- C:\Programfiler\EPSON
2008-05-06 13:17:45 0 d-------- C:\Programfiler\Lavasoft
2008-05-06 13:17:44 0 d-------- C:\Documents and Settings\Torfinn\Programdata\Lavasoft
2008-04-17 09:04:22 0 d-------- C:\Programfiler\Fellesfiler\Symantec Shared
2008-04-15 16:27:46 414030 --a------ C:\WINDOWS\system32\perfh014.dat
2008-04-15 16:27:46 73920 --a------ C:\WINDOWS\system32\perfc014.dat
2008-04-02 13:09:22 0 d-------- C:\Documents and Settings\Torfinn\Programdata\Adobe
2008-04-02 10:02:46 34 --a------ C:\WINDOWS\system32\bd9440cn.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06.05.2008 08:26]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_06\bin\jusched.exe" [25.03.2008 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 13:00]
"SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 11:43]
"updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30.03.2006 17:45]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Evoluent Mouse Manager.lnk - C:\WINDOWS\Installer\{0ACB2052-D925-42C0-8165-DBE9BC6946EB}\_CE8DBDC260A61ED6C07BC4.exe [16.05.2008 13:13:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bncywshf]
bncywshf.dll 06.05.2008 08:12 249856 C:\WINDOWS\system32\bncywshf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\945774f2]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^EPSON Status Monitor 3 Environment Check(2).lnk]
path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\EPSON Status Monitor 3 Environment Check(2).lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check(2).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
"C:\Programfiler\IBM\Client Access\cwbckver.exe" LOGIN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Express Welcome]
"C:\Programfiler\IBM\Client Access\cwbwlwiz.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
"C:\Programfiler\IBM\Client Access\cwbinhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
"C:\Programfiler\IBM\Client Access\cwbsvstr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
"C:\Programfiler\FileZilla Server\FileZilla Server Interface.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\Programfiler\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"EpsonBidirectionalService"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-05-20 08:32:33 ------------


I also did an online scan last week:


KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 11:10:12 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 774312


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 51273
Number of viruses found 2
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:18:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Skrivebord\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\All Users\Programdata\avg8\Log\avgcore.log Object is locked skipped

C:\Documents and Settings\All Users\Programdata\avg8\Log\avglng.log Object is locked skipped

C:\Documents and Settings\All Users\Programdata\avg8\Log\avgrs.log Object is locked skipped

C:\Documents and Settings\All Users\Programdata\avg8\Log\avgsrm.log Object is locked skipped

C:\Documents and Settings\All Users\Programdata\avg8\Log\avgwd.log Object is locked skipped

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Programdata\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Programdata\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Torfinn\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Logg\History.IE5\MSHist012008051520080516\index.dat Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Temp\~DF558B.tmp Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Temporary Internet Files\Content.IE5\FLYTIYWP\bind[1].htm Object is locked skipped

C:\Documents and Settings\Torfinn\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Torfinn\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Torfinn\ntuser.dat.LOG Object is locked skipped

C:\Programfiler\lotus\notes\data\bookmark.nsf Object is locked skipped

C:\Programfiler\lotus\notes\data\Cache.NDK Object is locked skipped

C:\Programfiler\lotus\notes\data\desktop6.ndk Object is locked skipped

C:\Programfiler\lotus\notes\data\headline.nsf Object is locked skipped

C:\Programfiler\lotus\notes\data\IBM_TECHNICAL_SUPPORT\console.log Object is locked skipped

C:\Programfiler\lotus\notes\data\IBM_TECHNICAL_SUPPORT\SmartUpgrade\SmartUpgrade.log Object is locked skipped

C:\Programfiler\lotus\notes\data\log.nsf Object is locked skipped

C:\Programfiler\lotus\notes\data\names.nsf Object is locked skipped

C:\Programfiler\lotus\notes\data\~notes.lck Object is locked skipped

C:\Programfiler\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Programfiler\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Programfiler\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Programfiler\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{FB5638F6-5931-4F4A-9D57-CF83E64AEF9F}\RP550\A0018946.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{FB5638F6-5931-4F4A-9D57-CF83E64AEF9F}\RP550\A0018946.exe RAR: infected - 1 skipped

C:\System Volume Information\_restore{FB5638F6-5931-4F4A-9D57-CF83E64AEF9F}\RP550\A0018954.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{FB5638F6-5931-4F4A-9D57-CF83E64AEF9F}\RP563\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\winedi\sys\ckll4703.dbf Object is locked skipped

C:\winedi\sys\ckll4703.DBT Object is locked skipped

C:\winedi\sys\DREV.DBF Object is locked skipped

C:\winedi\sys\EAN_NUM.DBF Object is locked skipped

C:\winedi\sys\GEO_KOM.DBF Object is locked skipped

C:\winedi\sys\GEO_KOM.DBT Object is locked skipped

C:\winedi\sys\GEO_KOM.MDX Object is locked skipped

C:\winedi\sys\HARDWARE.DBF Object is locked skipped

C:\winedi\sys\klient1\KOLLI.DBF Object is locked skipped

C:\winedi\sys\klient1\KOLLI.DBT Object is locked skipped

C:\winedi\sys\klient1\KOLLI.MDX Object is locked skipped

C:\winedi\sys\klient1\MOTTAKER.DBF Object is locked skipped

C:\winedi\sys\klient1\MOTTAKER.DBT Object is locked skipped

C:\winedi\sys\klient1\MOTTAKER.MDX Object is locked skipped

C:\winedi\sys\klient1\ORDREHO.DBF Object is locked skipped

C:\winedi\sys\klient1\ORDREHO.MDX Object is locked skipped

C:\winedi\sys\klient1\PAKBAS.DBF Object is locked skipped

C:\winedi\sys\klient1\pakbas.MDX Object is locked skipped

C:\winedi\sys\klient1\transpor.DBF Object is locked skipped

C:\winedi\sys\landkode.dbf Object is locked skipped

C:\winedi\sys\landkode.MDX Object is locked skipped

C:\winedi\sys\PNUMSER.DBF Object is locked skipped

C:\winedi\sys\PT_STAM.DBF Object is locked skipped

Scan process completed.



Thanks!

BC AdBot (Login to Remove)

 


#2 Chimmyt0s

Chimmyt0s
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 21 May 2008 - 07:45 AM

Looks like I might have found a way to remove the problem.

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

I fixed these four lines using HijackThis, and there was a forced reboot.
When the system started up again, the fake windows security center was gone.

So by the looks of it, the problem is solved.
At least for now..

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 21 May 2008 - 05:27 PM

Hi

Well that's a surprise because this is the main problem :-

O20 - Winlogon Notify: bncywshf - C:\WINDOWS\SYSTEM32\bncywshf.dll
O23 - Service: Microsoft DDE+ server (945774f2) - Unknown owner - C:\WINDOWS\system32\.945774f2\945774f2.exe (file missing)

+ you have other malware

If you still want help ... start with this :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

& a new hijackthis log

steam

Edited by steamwiz, 21 May 2008 - 05:28 PM.

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 26 June 2008 - 01:42 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users