News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
May 25, 2013, 11:41:49
linktree cexx.org - Support Forums  >  Spyware-Related Stuff  >  Spyware - Help!
linktree Topic: Smart Fortress 2012
Pages: [1]   Go Down
« previous next »
  Print  
Topic: Smart Fortress 2012  (Read 1494 times)
0 Members and 1 Guest are viewing this topic.
« on: April 28, 2012, 11:00:52 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
I've been hit again by fake antivirus malware.  This time called Smart Fortress 2012.  It is doing the usual things like continual pop ups "warning" me of applications that cannot be started.  I was able to run a HJT under safe mode (it wouldn't run under regular mode.)  After many attempts I was also able to run a malwarebytes. I've attaced both logs.  I couldn't open them to copy and paste.  Thanks for any help you can give me.
Logged
« Reply #1 on: April 28, 2012, 14:37:14 »
AplusWebMaster Offline
Global Moderator WWW
Karma: 501
Posts: 7329
While you're waiting for dvk01 to lend a hand, you might want to try this procedure:

Remove Smart Fortress 2012 (Uninstall Guide)
- http://www.bleepingcomputer.com/virus-removal/remove-smart-fortress-2012

.
Logged
This machine has no brain.
....... Use your own.
Browser check for updates here.
.
« Reply #2 on: April 28, 2012, 16:14:45 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
The Smart Fortress uninstall program looks like it worked.  Thank you
Logged
« Reply #3 on: April 29, 2012, 00:42:05 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
if you are getting attacked again so soon, then you must have vulnerabilities on taht computer, normally outdated software like flash, java or adobe reader
lets take a look and see what is there & what stil needs to be done as regards cleaning this pest
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #4 on: April 29, 2012, 09:55:30 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
It looks like the Smart Fortress fix is temporary.  When I log off and back in, it returns.  I ran the fix again and it is gone but i'm sure it will return.  What can we do that's more permanent?
Logged
« Reply #5 on: April 29, 2012, 10:04:55 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
First clear your Java cache as shown http://www.java.com/en/download/help/5000020300.xml
Then follow advice here and post the logs those programs make in your next reply to this topic
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #6 on: April 30, 2012, 12:50:08 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
I have attached the dds.txt  and the attach.txt.  I can't send the Ark.txt because it is too big (5 mb).  I don't know if I did something wrong in running it.  Would you like me to try again?
Logged
« Reply #7 on: April 30, 2012, 13:54:33 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
don't worry about gmer

Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully
Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Here or Hereto your Desktop.
As you download it rename it to username123.exe


**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

Please tell us if it has cured the problems or if there are any outstanding issues
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #8 on: April 30, 2012, 15:35:29 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
Here is the combofix log. It says my antivirus was enabled but it was definitly disabled.  When the system restarted there was no sign of the Smart Fortress...

ComboFix 12-04-31.02 - chris 04/30/2012  19:11:30.8.3 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3838.2451 [GMT -4:00]
Running from: c:\users\chris\Desktop\username123.exe
AV: Trend Micro AntiVirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\chris\AppData\Local\Temp\avdps.dll
c:\users\chris\AppData\Local\Temp\detinc.dll
c:\users\chris\AppData\Local\temp\mplobt.dll
c:\windows\SysWow64\urttemp
c:\windows\SysWow64\urttemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-28 to 2012-04-30  )))))))))))))))))))))))))))))))
.
.
2012-04-30 23:19 . 2012-04-30 23:22   --------   d-----w-   c:\users\chris\AppData\Local\temp
2012-04-30 23:19 . 2012-04-30 23:19   --------   d-----w-   c:\users\ReleaseEngineer.MACROVISION\AppData\Local\temp
2012-04-30 23:19 . 2012-04-30 23:19   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-04-30 23:19 . 2012-04-30 23:19   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-30 23:19 . 2012-04-30 23:19   --------   d-----w-   c:\users\AppData\AppData\Local\temp
2012-04-27 02:21 . 2012-04-27 02:21   --------   d-----w-   c:\program files (x86)\Common Files\PX Storage Engine
2012-04-24 02:52 . 2012-04-24 02:52   --------   d-----w-   c:\users\chris\AppData\Local\MSoft
2012-04-22 16:36 . 2012-04-22 16:36   --------   d-----w-   C:\_OTS
2012-04-21 13:23 . 2012-04-24 20:09   129024   ----a-w-   c:\windows\RegBootClean64.exe
2012-04-19 11:58 . 2012-04-19 11:58   --------   d-----w-   c:\users\chris\AppData\Local\AMD
2012-04-18 22:33 . 2012-04-18 22:33   --------   d-----w-   c:\users\chris\AppData\Local\WinZip
2012-04-17 00:10 . 2012-04-17 00:11   --------   d-----w-   C:\thumb drive
2012-04-16 01:36 . 2012-04-16 01:36   --------   d-----w-   c:\program files (x86)\Photo Story 3 for Windows
2012-04-16 01:12 . 2012-04-16 01:12   --------   d-----w-   c:\windows\en
2012-04-16 01:10 . 2012-04-16 01:10   --------   d-----w-   c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-04-16 01:06 . 2012-03-08 22:40   48488   ----a-w-   c:\windows\system32\drivers\fssfltr.sys
2012-04-16 01:06 . 2012-04-16 01:12   --------   d-----w-   c:\program files (x86)\Windows Live
2012-04-16 01:05 . 2012-04-16 01:06   --------   d-----w-   c:\program files\Windows Live
2012-04-16 01:01 . 2009-09-04 21:44   69464   ----a-w-   c:\windows\SysWow64\XAPOFX1_3.dll
2012-04-16 01:01 . 2009-09-04 21:44   515416   ----a-w-   c:\windows\SysWow64\XAudio2_5.dll
2012-04-16 01:01 . 2009-09-04 21:29   453456   ----a-w-   c:\windows\SysWow64\d3dx10_42.dll
2012-04-16 01:01 . 2009-09-04 21:29   523088   ----a-w-   c:\windows\system32\d3dx10_42.dll
2012-04-16 01:00 . 2006-11-29 17:06   4398360   ----a-w-   c:\windows\system32\d3dx9_32.dll
2012-04-16 01:00 . 2006-11-29 17:06   3426072   ----a-w-   c:\windows\SysWow64\d3dx9_32.dll
2012-04-16 00:58 . 2009-08-04 08:12   1103872   ----a-w-   c:\windows\system32\webservices.dll
2012-04-16 00:58 . 2009-08-04 08:02   754688   ----a-w-   c:\windows\SysWow64\webservices.dll
2012-04-16 00:57 . 2012-04-16 00:57   7450888   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\d772ff881cd1b6b06\bingbarsetup.exe
2012-04-16 00:56 . 2012-04-16 00:56   15712   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\cfd579681cd1b6b05\MeshBetaRemover.exe
2012-04-16 00:56 . 2012-04-16 00:56   89944   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\cd3897081cd1b6b04\DSETUP.dll
2012-04-16 00:56 . 2012-04-16 00:56   537432   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\cd3897081cd1b6b04\DXSETUP.exe
2012-04-16 00:56 . 2012-04-16 00:56   1801048   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\cd3897081cd1b6b04\dsetup32.dll
2012-04-16 00:56 . 2012-04-16 00:56   94040   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\c9367f581cd1b6b03\DSETUP.dll
2012-04-16 00:56 . 2012-04-16 00:56   525656   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\c9367f581cd1b6b03\DXSETUP.exe
2012-04-16 00:56 . 2012-04-16 00:56   1691480   ----a-w-   c:\program files (x86)\Common Files\Windows Live\.cache\c9367f581cd1b6b03\dsetup32.dll
2012-04-16 00:56 . 2012-04-19 19:15   --------   d-----w-   c:\users\chris\AppData\Local\Windows Live
2012-04-14 04:00 . 2012-04-14 04:00   8766112   ----a-w-   c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-12 02:19 . 2012-03-06 06:44   4699520   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-12 02:19 . 2012-02-29 15:37   5632   ----a-w-   c:\windows\system32\wmi.dll
2012-04-12 02:19 . 2012-02-29 15:37   219136   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-12 02:19 . 2012-02-29 15:35   78848   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-12 02:19 . 2012-02-29 15:11   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-04-12 02:19 . 2012-02-29 15:11   172032   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-04-12 02:19 . 2012-02-29 15:09   157696   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-04-12 02:19 . 2012-02-29 13:52   16384   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-11 23:52 . 2012-03-01 11:01   2409784   ----a-w-   c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-04-11 23:52 . 2012-03-01 11:01   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2012-04-06 20:46 . 2012-04-06 20:46   --------   d-----w-   c:\program files\iPod
2012-04-06 20:46 . 2012-04-06 20:47   --------   d-----w-   c:\program files\iTunes
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 18:53 . 2012-04-21 18:53   69000   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BC69E862-9942-46B1-921B-9AD2DCEB3583}\offreg.dll   ERROR(0x00000005)
2012-04-16 01:05 . 2011-03-28 22:36   19352   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll   ERROR(0x00000005)
2012-04-14 04:01 . 2012-03-30 19:36   418464   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-14 04:01 . 2011-06-12 14:08   70304   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2012-04-21 18:31   8917360   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BC69E862-9942-46B1-921B-9AD2DCEB3583}\mpengine.dll   ERROR(0x00000005)
2012-04-13 08:46 . 2008-05-12 19:45   8917360   ------w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll   ERROR(0x00000005)
2012-04-04 19:56 . 2009-05-27 23:31   24904   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-14 03:27 . 2008-07-08 04:13   8669240   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll   ERROR(0x00000005)
2012-03-08 22:50 . 2012-03-08 22:50   49016   ----a-w-   c:\windows\SysWow64\sirenacm.dll
2012-03-08 22:37 . 2012-03-08 22:37   302448   ------w-   c:\windows\WLXPGSS.SCR
2012-02-23 14:18 . 2009-10-03 12:08   279656   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-15 15:01 . 2012-02-15 15:01   52736   ----a-w-   c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 15:01 . 2012-02-15 15:01   4547944   ----a-w-   c:\windows\system32\usbaaplrc.dll
2012-02-14 16:49 . 2012-03-14 19:50   327680   ----a-w-   c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-14 19:50   196096   ----a-w-   c:\windows\system32\d3d10_1.dll
2012-02-14 15:45 . 2012-03-14 19:50   219648   ----a-w-   c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 19:50   160768   ----a-w-   c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-14 19:50   2002944   ----a-w-   c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-14 19:50   1172480   ----a-w-   c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-14 19:50   834048   ----a-w-   c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-14 19:50   1555968   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-14 19:50   683008   ----a-w-   c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-14 19:50   1068544   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-02-07 15:02 . 2012-02-07 15:02   1070352   ----a-w-   c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-02 15:34 . 2012-03-14 19:50   2765824   ----a-w-   c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-04-21_00.41.21   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-04-30 23:23   84488              c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-04-30 23:23   90170              c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-07 22:36 . 2012-04-30 23:23   17716              c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3968901160-2759726070-778273491-1000_UserData.bin
+ 2008-12-31 18:47 . 2009-07-08 19:00   55280              c:\windows\system32\drivers\PxHlpa64.sys
+ 2008-07-07 22:31 . 2012-04-30 19:58   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-07 22:31 . 2012-04-21 00:38   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-07 22:31 . 2012-04-21 00:38   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-04-24 02:46 . 2012-04-30 19:58   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-07 22:31 . 2012-04-21 00:38   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-07 22:31 . 2012-04-30 19:58   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-30 23:21 . 2012-04-30 23:21   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-21 00:40 . 2012-04-21 00:40   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-30 23:21 . 2012-04-30 23:21   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-21 00:40 . 2012-04-21 00:40   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2007-03-26 05:00 . 2009-03-24 08:01   100848              c:\windows\SysWOW64\vxblock.dll
+ 2008-07-09 16:28 . 2012-04-30 22:59   306212              c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-05 17:33 . 2012-04-27 02:24   262144              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-05 17:33 . 2012-04-19 02:06   262144              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-02-09 11:52 . 2012-04-30 23:20   341928              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-09 11:52 . 2012-04-18 20:37   341928              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-04-28 02:00 . 2012-04-28 02:00   897024              c:\windows\Installer\{6D172D0A-B9F1-4046-AFAB-8599288545BF}\SafariIco.exe
- 2010-08-14 05:57 . 2012-04-21 00:39   1645360              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-08-14 05:57 . 2012-04-28 17:41   1645360              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-05-08 04:36 . 2012-04-30 23:20   7459388              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3968901160-2759726070-778273491-1000-8192.dat
+ 2012-04-28 02:00 . 2012-04-28 02:00   3666432              c:\windows\Installer\1527c57.msi
+ 2011-05-08 04:36 . 2012-04-30 23:20   58548694              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3968901160-2759726070-778273491-1000-4096.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54   175912   ----a-w-   c:\program files (x86)\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f999a48b-1950-4d81-9971-79018f807b4b}]
2011-01-17 14:54   175912   ----a-w-   c:\program files (x86)\FreeOnlineRadioPlayerRecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "c:\program files (x86)\FreeOnlineRadioPlayerRecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-10-22 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 39408]
"ISUSPM"="c:\program files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"TomTomHOME.exe"="c:\program files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-02-24 59240]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ButtonMonitor"="c:\program files (x86)\IOI\ButtonMonitor.exe" [2007-05-11 53248]
"RoxioDragToDisc"="c:\program files (x86)\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-11-15 1121016]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-24 273528]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 343168]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-22 23:55   451872   ----a-w-   c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 04:01]
.
2012-04-30 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files (x86)\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-07-03 20:50]
.
2012-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-16 00:46]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-02-16 16:24]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-02-16 16:24]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2007-12-17 5453824]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"LXBXCATS"="c:\windows\system32\spool\DRIVERS\x64\3\LXBXtime.dll" [2007-03-22 28672]
"lxbxmon.exe"="c:\program files (x86)\Lexmark 7100 Series\lxbxmon.exe" [2007-05-11 205744]
"EzPrint"="c:\program files (x86)\Lexmark 7100 Series\ezprint.exe" [2007-05-11 103344]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1023416]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://espn.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5692
mLocal Page = c:\windows\SYSTEM32\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{F999A48B-1950-4D81-9971-79018F807B4B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files (x86)\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe
.
**************************************************************************
.
Completion time: 2012-04-30  19:29:47 - machine was rebooted
ComboFix-quarantined-files.txt  2012-04-30 23:29
ComboFix2.txt  2012-04-21 19:29
ComboFix3.txt  2012-04-21 17:31
ComboFix4.txt  2012-04-21 00:50
.
Pre-Run: 142,140,698,624 bytes free
Post-Run: 142,140,289,024 bytes free
.
- - End Of File - - 4F8B34A99FDCF17D3025C83154A461C5
Logged
« Reply #9 on: April 30, 2012, 23:17:24 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
please go to c:\qoobox and find ComboFix-quarantined-files.txt attach that here or post its contents please so I can check something

Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #10 on: May 01, 2012, 18:29:23 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89
Here it is:
Logged
« Reply #11 on: May 02, 2012, 13:22:33 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
it looks like combofix has erroneously deleted one file it shouldn't have done
we can restore that using this


Download the attached CFScript.txt  and save it to your  desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop  in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

 



 

This will start ComboFix again and restore the file that was placed in quarantine  Post the contents of the combofix-dequarantine.txt in your next reply .


Note: these instructions and script were created specifically for this user.  If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum
 
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
« Reply #12 on: May 02, 2012, 15:47:28 »
Cgolf1 Offline
Jr. Member

 **

Karma: 0
Posts: 89

Dequarantine.txt:


C:\Qoobox\Quarantine\C\Windows\SysWOW64\URTTEMP\regtlib.exe.vir -> C:\Windows\SysWOW64\URTTEMP\regtlib.exe
Logged
« Reply #13 on: May 02, 2012, 23:01:13 »
dvk01 Offline
Administrator WWW
Karma: 6
Posts: 308
you should be fine now so
*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
*  Click START then RUN
*  Now type Combofix /Uninstall in the runbox  and click OK.  Note the space between the X and the /U, it needs to be there.


This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/vulnerability_scanning/online/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated,  that will help to plug the security holes that let these pests on in the first place. If windows update doesn't work, please come back & tell us
Logged
Derek
Microsoft MVP/Consumer Security
The Spykiller | Security and Privacy | Hedgehog Rescue
 
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Page created in 0.231 seconds with 20 queries.