Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.FakeAlert.SFXGen3


  • This topic is locked This topic is locked
11 replies to this topic

#1 Duncan1892

Duncan1892

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 16 April 2012 - 07:39 AM

Hi

I found this Trojan on my laptop after I scanned with malwarebytes anti-malware. Someone else in the house caught it I dont know where.. :angry:

I have removed

Trojan.FakeAlert.SFXGen3 file from downloads folder "setup.exe" and
Trojan.FakeAlert.SFXGen3 registry key referring to the setup.exe file

I am wondering if I am safe or need to do anything more... I dont know if the file was run... :o

Thanks

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 18 April 2012 - 10:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#3 Duncan1892

Duncan1892
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 April 2012 - 06:59 AM

Hello nasdaq and thank you for helping me on this.


DDS.txt log results

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 12:49:26 on 2012-04-19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.895.368 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Ashampoo\Ashampoo Snap 4\ashsnap.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [AshSnap] c:\program files\ashampoo\ashampoo snap 4\ashsnap.exe
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1300289230734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{4EB8F059-410F-4060-962A-FAB39B3F90C5} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tchqsrcb.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvsharetvplg.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-3-11 56208]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-10 36000]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-3-11 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-3-11 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-10 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-10 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-10 74640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-3-11 931640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-17 22344]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-7 21520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-17 654408]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-3-17 1691480]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-07 14:39:32 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-04-02 11:46:47 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 11:45:51 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-04-02 11:45:51 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-04-02 11:45:37 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2012-04-02 11:45:37 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-03-20 14:52:59 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2012-03-20 14:51:53 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-03-20 14:50:03 -------- d--h--w- c:\windows\msdownld.tmp
.
==================== Find3M ====================
.
2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 11:46:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-11 13:48:50 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-18 23:56:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 23:56:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 08:57:31 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 12:50:30.51 ===============







checkup.txt log results

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
CCleaner
Java™ 6 Update 31
Adobe Flash Player 11.2.202.228
Adobe Reader X 10.1.0 Adobe Reader out of Date!
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 19 April 2012 - 10:17 AM

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Your DDS log was clean but will check further.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the logs and let me know what problem persists.

#5 Duncan1892

Duncan1892
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 April 2012 - 10:55 AM

ComboFix 12-04-19.01 - Administrator 19/04/2012 16:37:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.895.129 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\tmp.reg
c:\windows\system32\winlogon.bak
.
.
((((((((((((((((((((((((( Files Created from 2012-03-19 to 2012-04-19 )))))))))))))))))))))))))))))))
.
.
2012-04-07 14:39 . 2012-04-07 14:39 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-02 11:46 . 2012-04-02 11:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 11:45 . 2001-08-17 12:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-04-02 11:45 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-04-02 11:45 . 2008-04-13 17:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2012-04-02 11:45 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 14:56 . 2011-03-17 21:00 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 11:46 . 2011-05-20 08:45 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-11 13:48 . 2012-03-11 13:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-18 23:56 . 2012-02-18 23:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-18 23:56 . 2011-09-03 20:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 08:57 . 2012-03-10 12:39 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-31 08:57 . 2012-03-10 12:39 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-17 02:04 . 2011-04-29 21:18 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AshSnap"="c:\program files\Ashampoo\Ashampoo Snap 4\ashsnap.exe" [2011-12-12 1531272]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2010-10-26 53248]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-12 18782720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-02-03 430080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2011-3-17 262144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-23 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-03-06 17:48 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-03-06 17:58 1060376 ----a-w- c:\program files\Labtec\WebCam10\WebCam10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 14:48 56208]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/03/2012 13:39 36000]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:07 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 14:48 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 14:48 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 19:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [29/06/2010 18:48 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/03/2012 13:39 86224]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 14:48 931640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17/03/2011 22:00 22344]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [07/08/2011 20:36 21520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [17/03/2011 22:00 654408]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/2012 09:50 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2012 12:46 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [17/03/2011 10:34 1691480]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/02/2011 22:23 35088]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 11:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tchqsrcb.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-NBAgent - c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-19 16:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-1292428093-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,8b,2e,b7,8c,7c,a8,48,97,03,4c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,8b,2e,b7,8c,7c,a8,48,97,03,4c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-19 16:49:46
ComboFix-quarantined-files.txt 2012-04-19 15:49
ComboFix2.txt 2011-11-06 14:24
.
Pre-Run: 33,552,482,304 bytes free
Post-Run: 33,600,643,072 bytes free
.
- - End Of File - - B1F66C76C728823F2DF78F6035C2C50C

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 19 April 2012 - 01:29 PM

The log is clean.

Any remaining issues?

#7 Duncan1892

Duncan1892
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 April 2012 - 01:48 PM

no. i think malwarebytes has done the job.

#8 Duncan1892

Duncan1892
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 19 April 2012 - 03:40 PM

I would like to ask you, you might know...

How did I get infected with this trojan? What does this specific do? What could have I done to prevent this? I mean I have Avira Antivirus enabled.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 20 April 2012 - 06:58 AM

We are unable to know how you got infected.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!

#10 Duncan1892

Duncan1892
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 20 April 2012 - 08:03 AM

Right. I am very grateful for your help nasdaq.

Thank you so much. :thumbsup:

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 26 April 2012 - 08:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 PM

Posted 26 April 2012 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users