Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Antivirus Xp 2008...got Rid Of It But Now Getting Fake Windows Security Alerts


  • Please log in to reply
17 replies to this topic

#1 jsharp721

jsharp721

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 26 August 2008 - 06:34 PM

I see I'm not the only one with this issue. I picked up the Antivirus XP 2008 deal on Sunday, managed to get rid of it (and other things) yesterday but now I have an even bigger problem stemming from the Fake Windows Security Popup that warns me about Trojan-Spy.HTML.Bankfraud.dq or something. I, of course, stupidly clicked the "Enable Protection" button on the popup and then everything went haywire.

At this point I can only function in safe mode. When I'm in normal mode things run slooooowwwww and I can't get Firefox or IE to open. I've run every removal tool I've come across, including MBAM and SDFix. I've tried everything I can think of but I'm at my wits end. Here's my HijackThis log. And yes, I'm sure my machine is a mess...6 years old and until two days ago it ran beautifully. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:04 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MntWebStr] C:\WINDOWS\system32\kpubuxsn.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer...AB/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112233706152
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O21 - SSODL: ApiSet - {153CFD87-88D4-1D1A-94FC-069E915AC2ED} - C:\Program Files\jwvrrnc\ApiSet.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6277 bytes

BC AdBot (Login to Remove)

 


#2 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 30 August 2008 - 07:40 PM

Hi,

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Edited by screen317, 30 August 2008 - 07:40 PM.


#3 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 01 September 2008 - 05:07 PM

Screen, thanks for the help. Here's the new HijackThis log and the ComboFix log is attached. Note that I ran ComboFix in Safe Mode, should that make a difference.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:54 PM, on 9/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MntWebStr] C:\WINDOWS\system32\kpubuxsn.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer...AB/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112233706152
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O21 - SSODL: ApiSet - {153CFD87-88D4-1D1A-94FC-069E915AC2ED} - C:\Program Files\jwvrrnc\ApiSet.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6329 bytes

Attached Files



#4 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 02 September 2008 - 02:09 AM

Any particular reason why you are running these tools in Safe Mode? This is not safe, as your protection programs are not active in Safe Mode, leaving you vulnerable.


Please download this file and save it as it's originally named, next to ComboFix.exe.


Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


-screen317

Edited by screen317, 02 September 2008 - 02:12 AM.


#5 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 02 September 2008 - 07:24 AM

I have to run it in safe mode because in normal mode it's running so slow with so many processes in the background that nothing works. Plus I can't get IE or Firefox to open. In safe mode (with networking) I don't have those problems. If that's the wrong approach I can try getting it to run in normal mode but I haven't had any luck with it to this point.

I'll follow the steps you suggest after work and post the log.

Thanks again for the help.

#6 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 02 September 2008 - 02:42 PM

Yes please try from Normal Mode; after we clear all of the malware, we will try to alleviate the slowness and make Normal Mode bearable. :thumbsup:

#7 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 02 September 2008 - 07:52 PM

Here's the log, from ComboFix run in normal mode...which, by the way, is running dramatically faster now. I had some trouble getting ComboFix to run at first, as Spyware Doctor kept blocking it. Once I fully disabled Spyware Doctor (which I thought I had done at first, but it was still there I guess), it seemed to run fine. Please let me know what else I need to do, and thanks for getting me to this point.

Attached Files

  • Attached File  log.txt   10.72KB   33 downloads


#8 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 04 September 2008 - 02:01 AM

Hi,

Please go to VirusTotal, and upload the following file for analysis:
C:\Program Files\jwvrrnc\ApiSet.dll


Post the results in your reply.

After that, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

-screen317

#9 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 04 September 2008 - 06:17 PM

Here's the VirusTotal results...I think. I'll post the Kaspersky log when it finishes.

Antivirus Version Last Update Result
AhnLab-V3 2008.9.4.2 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 -
Authentium 5.1.0.4 2008.09.04 -
Avast 4.8.1195.0 2008.09.04 -
AVG 8.0.0.161 2008.09.04 -
BitDefender 7.2 2008.09.05 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6069 2008.09.04 -
Ewido 4.0 2008.09.04 -
F-Prot 4.4.4.56 2008.09.04 -
F-Secure 8.0.14332.0 2008.09.04 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 -
Ikarus T3.1.1.34.0 2008.09.04 -
K7AntiVirus 7.10.441 2008.09.04 -
Kaspersky 7.0.0.125 2008.09.05 -
McAfee 5377 2008.09.04 -
Microsoft 1.3903 2008.09.05 -
NOD32v2 3416 2008.09.04 -
Norman 5.80.02 2008.09.04 -
Panda 9.0.0.4 2008.09.04 -
PCTools 4.4.2.0 2008.09.04 -
Prevx1 V2 2008.09.05 -
Rising 20.60.31.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 Mal/EncPk-DG
Sunbelt 3.1.1606.1 2008.09.04 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.04 -
VBA32 3.12.8.5 2008.09.04 -
ViRobot 2008.9.4.1363 2008.09.04 -
VirusBuster 4.5.11.0 2008.09.04 -
Webwasher-Gateway 6.6.2 2008.09.04 -
Additional information
File size: 126976 bytes
MD5...: 84c947994addfc79ec9446f383213034
SHA1..: 87dc99cd859da6f32b12465be80b7d038c326563
SHA256: 536650b852b3ad4783d8fbda1b5803fe7ef60a3395c65e0e8dae48048e724290
SHA512: caebe9956d38f3f9826d452ca85c96844569dbaca194f6c311ddbe6bcab7f2a6
4f90611ceace419f361f3b186908b648c51c64857b02be09e5597ec007c5a284
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10010343
timedatestamp.....: 0x48b1be6e (Sun Aug 24 20:02:54 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.psbskz 0x1000 0x19cba 0x1a000 6.93 a014ce28a148e1a6b3380a7878e3528d
.jajh 0x1b000 0x713 0x1000 2.94 5b9f05c176003fd2c32087ac03073b02
.bpxfye 0x1c000 0x1f84 0x1000 0.51 9bf6fbe8c1e98f6a50558ec518e1f5f6
.reloc 0x1e000 0x196c 0x2000 5.99 e96d83d8e63af2c0eadde3beba3ef907

( 4 imports )
> KERNEL32.dll: FindResourceW, GlobalUnlock, SetThreadPriority, DuplicateHandle, FindFirstChangeNotificationW, lstrlenW, WaitForMultipleObjects, GetModuleFileNameW, GetModuleHandleW, SuspendThread, GetCurrentThread, DeleteFileW, CreateThread, GetProcAddress, CreateFileW, GetFileAttributesExW, GetUserDefaultLangID, GetLastError, WaitForSingleObject, GetTickCount, SizeofResource, SetWaitableTimer, LoadLibraryA, TerminateThread, GetCurrentProcessId, FreeResource
> USER32.dll: GetWindowRect, LoadStringW, RegisterWindowMessageW, GetParent, DestroyMenu, TranslateMessage, GetSysColor, DestroyIcon, SetForegroundWindow, GetSystemMetrics, EnableWindow, CreateWindowExW, EndDialog, SetLayeredWindowAttributes, OffsetRect, PostThreadMessageW, LoadBitmapW, SystemParametersInfoW, VkKeyScanW
> GDI32.dll: CreateSolidBrush, SetMapMode, CreateDCW, SelectObject, Rectangle, DeleteObject, CreatePen
> ADVAPI32.dll: InitializeSecurityDescriptor, RegDeleteValueW, LookupAccountSidW, GetUserNameW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

#10 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 04 September 2008 - 09:13 PM

Here's the Kaspersky log. It doesn't seem like it found anything.

Attached Files



#11 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 05 September 2008 - 03:39 PM

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy and paste the text in the Code box below into Notepad:

http://www.bleepingcomputer.com/forums/t/165693/had-antivirus-xp-2008got-rid-of-it-but-now-getting-fake-windows-security-alerts/
Collect::
C:\Program Files\jwvrrnc\ApiSet.dll
Folder::
C:\Program Files\jwvrrnc


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Additonally, when ComboFix finishes running, it will display its log and it may prompt you to submit a file for analysis; if so, please follow its instructions.

-screen317

#12 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 05 September 2008 - 05:42 PM

Here's the new ComboFix log. It also had me submit a file for analysis and told me to let you know.

Thanks!

Attached Files

  • Attached File  log.txt   12.36KB   25 downloads


#13 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 07 September 2008 - 04:18 AM

Hi,

Did you install anything on September 4th? ComboFix shows many suspicious files created on that day.

Please go to VirusTotal, and upload the following files for analysis:
C:\WINDOWS\SYSTEM32\windowscodecs.dll
C:\WINDOWS\SYSTEM32\tspkg.dll
C:\WINDOWS\SYSTEM32\wlanapi.dll


Post the results in your reply.

-screen317

Edited by screen317, 07 September 2008 - 04:19 AM.


#14 jsharp721

jsharp721
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 07 September 2008 - 07:23 AM

I don't think I installed anything on the 4th. Here's the logs for the three files you wanted.


File windowscodecs.dll received on 09.04.2008 23:02:50 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.4.2 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 -
Authentium 5.1.0.4 2008.09.04 -
Avast 4.8.1195.0 2008.09.04 -
AVG 8.0.0.161 2008.09.04 -
BitDefender 7.2 2008.09.04 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6069 2008.09.04 -
Ewido 4.0 2008.09.04 -
F-Prot 4.4.4.56 2008.09.04 -
F-Secure 8.0.14332.0 2008.09.04 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 -
Ikarus T3.1.1.34.0 2008.09.04 -
K7AntiVirus 7.10.441 2008.09.04 -
Kaspersky 7.0.0.125 2008.09.04 -
McAfee 5377 2008.09.04 -
Microsoft 1.3903 2008.09.04 -
NOD32v2 3415 2008.09.04 -
Norman 5.80.02 2008.09.04 -
Panda 9.0.0.4 2008.09.04 -
PCTools 4.4.2.0 2008.09.04 -
Prevx1 V2 2008.09.04 -
Rising 20.60.31.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 -
Sunbelt 3.1.1606.1 2008.09.04 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.04 -
VBA32 3.12.8.5 2008.09.04 -
ViRobot 2008.9.4.1363 2008.09.04 -
VirusBuster 4.5.11.0 2008.09.04 -
Webwasher-Gateway 6.6.2 2008.09.04 -
Additional information
File size: 712704 bytes
MD5...: 5f63e2b2a72e1e6448123e0920d31530

File tspkg.dll received on 09.07.2008 14:16:16 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.06 -
AntiVir 7.8.1.28 2008.09.05 -
Authentium 5.1.0.4 2008.09.06 -
Avast 4.8.1195.0 2008.09.06 -
AVG 8.0.0.161 2008.09.07 -
BitDefender 7.2 2008.09.07 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.07 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.06 -
F-Secure 8.0.14332.0 2008.09.07 -
Fortinet 3.112.0.0 2008.09.07 -
GData 19 2008.09.07 -
Ikarus T3.1.1.34.0 2008.09.07 -
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.07 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.07 -
NOD32v2 3423 2008.09.06 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.06 -
Prevx1 V2 2008.09.07 -
Rising 20.60.62.00 2008.09.07 -
Sophos 4.33.0 2008.09.07 -
Sunbelt 3.1.1610.1 2008.09.05 -
Symantec 10 2008.09.07 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.07 -
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.06 -
Webwasher-Gateway 6.6.2 2008.09.05 -
Additional information
File size: 50688 bytes
MD5...: e23c2933a53b4459482e84bb56d24681

File wlanapi.dll received on 09.07.2008 14:18:01 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.06 -
AntiVir 7.8.1.28 2008.09.05 -
Authentium 5.1.0.4 2008.09.06 -
Avast 4.8.1195.0 2008.09.06 -
AVG 8.0.0.161 2008.09.07 -
BitDefender 7.2 2008.09.07 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.07 -
DrWeb 4.44.0.09170 2008.09.07 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.07 -
F-Prot 4.4.4.56 2008.09.06 -
F-Secure 8.0.14332.0 2008.09.07 -
Fortinet 3.112.0.0 2008.09.07 -
GData 19 2008.09.07 -
Ikarus T3.1.1.34.0 2008.09.07 -
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.07 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.07 -
NOD32v2 3423 2008.09.06 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.06 -
Prevx1 V2 2008.09.07 -
Rising 20.60.62.00 2008.09.07 -
Sophos 4.33.0 2008.09.07 -
Sunbelt 3.1.1610.1 2008.09.05 -
Symantec 10 2008.09.07 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.07 -
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.06 -
Webwasher-Gateway 6.6.2 2008.09.05 -
Additional information
File size: 69120 bytes
MD5...: 9eefe69139fdbb4a3c327630f8eb993a

Edited by screen317, 07 September 2008 - 07:39 PM.


#15 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:10:05 PM

Posted 07 September 2008 - 07:39 PM

Alrighty.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.


Restart your computer, post a fresh HijackThis log, and let me know what problems remain.

-screen317




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users