Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PUP.CrossFire.SA


  • Please log in to reply
7 replies to this topic

#1 prairiedances

prairiedances

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 03 January 2013 - 10:06 AM

Hello,

I recently ran a Malwarebytes scan and noticed my computer has been infected with PUP.crossfire.sa. After doing some reading up on it, it seems like it takes a bit to get rid of it fully so just wanted to get some help on how to do that. I think Coupon Companion is attached it and I have already removed it from my programs list. Below are the results of the Malwarebytes scan if that helps. Also I have Windows 7 Home.

Thanks!

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.03.02

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
dunstan :: DUNSTAN-PC [administrator]

1/3/2013 9:44:10 AM
mbam-log-2013-01-03 (09-44-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232024
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4493 (PUP.CrossFire.SA) -> Data: Coupon Companion -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 03 January 2013 - 02:05 PM

Hello and welcome.. Also run these please.

TDSS Alt
Please Download TDSSkiller
Launch it.
Click on change parameters-Select TDLFS file system
Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.

>>>>

MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
>>>

ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

>>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 prairiedances

prairiedances
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 03 January 2013 - 02:41 PM

Hi, thanks :)

I ran TDSS Killer but I couldn't find the LOG report. It came up as:
No threats found
Duration 00:00:27
Processed: 428 objects
Found: o threats
Neutralized: 0 threats
Quarantined: 0 objects

The MiniToolBox results:

MiniToolBox by Farbar Version: 25-11-2012
Ran by dunstan (administrator) on 03-01-2013 at 14:33:24
Running from "C:\Users\dunstan\Downloads"
Windows 7 Home Premium (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

NVIDIA nForce 10/100 Mbps Ethernet = Local Area Connection (Connected)
Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 = Local Area Connection 2 (Hardware not present)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection 2" forwarding=enabled advertise=enabled metric=1 nud=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : dunstan-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : buffalo.edu
Belkin

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 70-71-BC-C1-AD-1D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::cdfd:4ff7:e78f:3ec0%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, January 03, 2013 2:17:11 PM
Lease Expires . . . . . . . . . . : Sunday, February 09, 2149 9:01:46 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 242250172
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-61-59-1A-70-71-BC-C1-AD-1D
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1879:946:e740:8493(Preferred)
Link-local IPv6 Address . . . . . : fe80::1879:946:e740:8493%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.2.1

Name: google.com.buffalo.edu
Address: 67.63.55.3


Pinging google.com [74.125.228.6] with 32 bytes of data:
Reply from 74.125.228.6: bytes=32 time=19ms TTL=52
Reply from 74.125.228.6: bytes=32 time=20ms TTL=52

Ping statistics for 74.125.228.6:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 20ms, Average = 19ms
Server: UnKnown
Address: 192.168.2.1

Name: yahoo.com.buffalo.edu
Address: 67.63.55.3


Pinging yahoo.com [72.30.38.140] with 32 bytes of data:
Reply from 72.30.38.140: bytes=32 time=191ms TTL=49
Reply from 72.30.38.140: bytes=32 time=128ms TTL=48

Ping statistics for 72.30.38.140:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 128ms, Maximum = 191ms, Average = 159ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...70 71 bc c1 ad 1d ......NVIDIA nForce 10/100 Mbps Ethernet
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.2 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.2 276
192.168.2.2 255.255.255.255 On-link 192.168.2.2 276
192.168.2.255 255.255.255.255 On-link 192.168.2.2 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.2 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:1879:946:e740:8493/128
On-link
11 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::1879:946:e740:8493/128
On-link
11 276 fe80::cdfd:4ff7:e78f:3ec0/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [320000] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5164

Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5164

Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 00:23:37 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5257

Error: (01/01/2013 00:23:37 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5257

Error: (01/01/2013 00:23:36 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8487

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8487

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 09:57:45 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2543


System errors:
=============
Error: (01/02/2013 01:31:06 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 1:26:56 PM on ?1/?2/?2013 was unexpected.

Error: (01/02/2013 01:25:53 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.

Error: (01/02/2013 01:24:00 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

Error: (01/01/2013 10:08:20 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

Error: (01/01/2013 10:08:20 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

Error: (01/01/2013 10:08:21 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (12/30/2012 10:04:43 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 10:03:01 PM on ?12/?30/?2012 was unexpected.

Error: (12/30/2012 10:00:28 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service depends on the Peer Networking Identity Manager service which failed to start because of the following error:
%%1053

Error: (12/30/2012 10:00:28 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Networking Identity Manager service which failed to start because of the following error:
%%1053

Error: (12/30/2012 10:00:28 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Identity Manager service failed to start due to the following error:
%%1053


Microsoft Office Sessions:
=========================
Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5164

Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5164

Error: (01/01/2013 03:09:20 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 00:23:37 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5257

Error: (01/01/2013 00:23:37 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5257

Error: (01/01/2013 00:23:36 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8487

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8487

Error: (01/01/2013 09:57:51 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/01/2013 09:57:45 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2543


=========================== Installed Programs ============================

ActiveLink Connect (Version: 5.5.4.15946)
Adobe Flash Player 11 Plugin (Version: 11.5.502.135)
Adobe Reader XI (Version: 11.0.00)
Apple Application Support (Version: 2.3.2)
Apple Mobile Device Support (Version: 6.0.1.3)
Apple Software Update (Version: 2.1.3.127)
Bonjour (Version: 3.0.0.10)
Cisco AnyConnect VPN Client (Version: 2.4.0202)
Coupon Printer for Windows (Version: 5.0.0.0)
CyberLink DVD Suite Deluxe (Version: 7.0.2115)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DirectX for Managed Code Update (Summer 2004) (Version: 9.02.2904)
Dropbox (Version: 1.6.10)
DVD Menu Pack for HP MediaSmart Video (Version: 3.1.3224)
Express Dictate
Express Scribe
FileZilla Client 3.5.3 (Version: 3.5.3)
Google Chrome (Version: 23.0.1271.97)
Google Talk (remove only)
Google Talk Plugin (Version: 3.10.2.10212)
HP Advisor (Version: 3.4.10262.3295)
HP Customer Experience Enhancements (Version: 6.0.1.4)
HP Games (Version: 1.0.0.71)
HP MediaSmart Demo (Version: 1.00.0000)
HP MediaSmart DVD (Version: 3.1.3317)
HP MediaSmart Music/Photo/Video (Version: 3.1.3422)
HP MediaSmart SmartMenu (Version: 3.1.0.1)
HP MediaSmart/TouchSmart Netflix (Version: 1.0.2.0)
HP Odometer (Version: 2.10.0000)
HP Photo Creations (Version: 1.0.0.3341)
HP Photosmart Plus B210 series Basic Device Software (Version: 22.0.334.0)
HP Photosmart Plus B210 series Help (Version: 140.0.54.54)
HP Photosmart Plus B210 series Product Improvement Study (Version: 22.0.334.0)
HP Remote Solution (Version: 1.1.11.0)
HP Remote Solution (Version: 1.1.12.0)
HP Setup (Version: 8.1.4186.3400)
HP Support Assistant (Version: 6.1.12.1)
HP Support Information (Version: 10.1.0002)
HP Update (Version: 5.002.005.003)
HP Vision Hardware Diagnostics (Version: 2.1.2.27173)
Hulu Desktop (Version: 0.9.10)
iCloud (Version: 2.1.1.3)
IrfanView (remove only) (Version: 4.32)
iTunes (Version: 11.0.1.12)
Junk Mail filter update (Version: 16.4.3505.0912)
LabelPrint (Version: 2.5.2017)
LightScribe System Software (Version: 1.18.17.1)
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
McAfee Security Scan Plus (Version: 3.0.285.6)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Live Search Toolbar (Version: 3.0.566.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft SkyDrive (Version: 17.0.2003.1112)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works 6.0 (Version: 06.00.1829)
Movie Maker (Version: 16.4.3505.0912)
Movie Theme Pack for HP MediaSmart Video (Version: 3.1.3310)
Mozilla Firefox 17.0.1 (x86 en-US) (Version: 17.0.1)
Mozilla Maintenance Service (Version: 17.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSVCRT110 (Version: 16.4.1108.0727)
MSVCRT110_amd64 (Version: 16.4.1109.0912)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Norton Internet Security (Version: 20.2.0.19)
Norton Online Backup (Version: 1.2.20.0)
NVIDIA Drivers (Version: 1.5)
Oregon Trail 5
Photo Gallery (Version: 16.4.3505.0912)
PlayReady PC Runtime amd64 (Version: 1.3.0)
Power2Go (Version: 6.0.3304)
PowerDirector (Version: 7.0.3503)
QuickTime (Version: 7.73.80.64)
Realtek High Definition Audio Driver (Version: 6.0.1.5938)
Recovery Manager (Version: 5.5.2216)
Safari (Version: 5.34.57.2)
Secure Download Manager (Version: 3.0.5)
Skype Click to Call (Version: 6.5.11422)
Skype™ 5.10 (Version: 5.10.116)
SUPERAntiSpyware (Version: 5.6.1014)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
WavePad Sound Editor
Windows Live Communications Platform (Version: 16.4.3505.0912)
Windows Live Essentials (Version: 16.4.3505.0912)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (Version: 16.4.3505.0912)
Windows Live Mail (Version: 16.4.3505.0912)
Windows Live Messenger (Version: 16.4.3505.0912)
Windows Live MIME IFilter (Version: 16.4.3505.0912)
Windows Live Photo Common (Version: 16.4.3505.0912)
Windows Live PIMT Platform (Version: 16.4.3505.0912)
Windows Live SOXE (Version: 16.4.3505.0912)
Windows Live SOXE Definitions (Version: 16.4.3505.0912)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 16.4.3505.0912)
Windows Live UX Platform Language Pack (Version: 16.4.3505.0912)
Windows Live Writer (Version: 16.4.3505.0912)
Windows Live Writer Resources (Version: 16.4.3505.0912)

========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 2814.49 MB
Available physical RAM: 1731.96 MB
Total Pagefile: 5627.13 MB
Available Pagefile: 4026.49 MB
Total Virtual: 4095.88 MB
Available Virtual: 3972.16 MB

========================= Partitions: =====================================

1 Drive c: (HP) (Fixed) (Total:286.36 GB) (Free:215.03 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:11.63 GB) (Free:1.68 GB) NTFS

========================= Users: ========================================

User accounts for \\DUNSTAN-PC

Administrator dunstan Guest


**** End of log ****

The ADW Cleaner Results:
# AdwCleaner v2.104 - Logfile created 01/03/2013 at 14:36:03
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : dunstan - DUNSTAN-PC
# Boot Mode : Normal
# Running from : C:\Users\dunstan\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Deleted : C:\Users\dunstan\AppData\Local\Temp\boost_interprocess

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\dunstan\AppData\Roaming\Mozilla\Firefox\Profiles\vfhrufnl.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\dunstan\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1344 octets] - [03/01/2013 14:36:03]

########## EOF - C:\AdwCleaner[S1].txt - [1404 octets] ##########


I'll post ESET Online Scan in another post.
Thanks again!

#4 prairiedances

prairiedances
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 03 January 2013 - 05:43 PM

Here are the results of the ESETScan

C:\Users\dunstan\Downloads\cbsidlm-cbsi5_2_0_83-Free_WMA_to_MP3_Converter-SEO2-10494267.exe a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 03 January 2013 - 06:18 PM

Hi,you downloaded Free_WMA_to_MP3_Converter off CNET and that is where the infection came from.
I do not know why but there it is//

Looks like we got it so if thetre are no more isues on that end then,,,Now you should Create a New Restore Point (alternate method) to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the newly created Restore Point.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 prairiedances

prairiedances
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 03 January 2013 - 11:29 PM

Thanks! Weird, Norton okay'd the Free_WMA_to_MP3_Converter before it was downloaded. Either way, thanks for your help!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:59 AM

Posted 04 January 2013 - 11:05 AM

I'm going to call it bribeware. As it must be a known thing to some security vendors that they will allow it.. CNET knows it's there.

When you initiate the download,you will encounter a single offer for additional 3rd-party software, which is clearly disclosed and provides the option to accept or decline the offer before proceeding with the download. We only show offers for software that is approved for
listing on CNET Download.com. If you do not wish to use the CNET Installer, we provide a link to the direct HTTP download URL below the main "Download Now" button on the products "detail page" on Download.com. You can access this page by clicking on the product name on your "My Software" page. You will need to be logged in as a CNET member to use this link.

Regards,
Gregg
CNET Technical Support

http://forums.cnet.com/7723-21574_102-546820/win32-installcore-d-win32-opencandy/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 prairiedances

prairiedances
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 04 January 2013 - 11:26 PM

Fair enough. Thanks for looking it to it and all your help! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users