TechSpot

Trojan.FakeAV!gen29

By Per Hansson
Jan 5, 2011
  1. Hi, I have a computer with a virus problem, it was displaying some advertising popups etc on random, I tried to find what was wrong but to be honest I'm not fidining anything, hoping you with more experience will be able to help :)

    I've got Symantec Corporate Antivirus, it's finding viruses named "Trojan.FakeAV!gen29"
    I delete them but then they come back after a little while again.
    Two files are named Gcc.exe and Gcg.exe, they are put in the Temp dir, another is called Gsebaa.exe and is put in the Windows root directory

    I've tried running both the zipped and randomly named GMER but it always comes up with an empty logfile, I'm not sure why...
    I've tried to also do the full scan which took very long time but it too said it found nothing... OS is Win7 x64 with all updates applied.


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org


    Database version: 5464

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    2011-01-05 16:07:19
    mbam-log-2011-01-05 (16-07-19).txt

    Scan type: Quick scan
    Objects scanned: 152007
    Time elapsed: 1 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\4RBPZMXX4S (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)





    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Anders at 16:22:47,21 on 2011-01-05
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.3839.2550 [GMT 1:00]

    AV: SymantecAntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: SymantecAntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\PROGRA~2\APC\POWERC~1\agent\pbeagent.exe
    C:\PROGRA~2\APC\POWERC~1\server\PBESER~1.EXE
    C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
    C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Anders\Downloads\Appz\Malware Scan Tools\dds.scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.se/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
    mRun: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BANKID~1.LNK - C:\Program Files (x86)\Personal\bin\Personal.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xportera till Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

    ================= FIREFOX ===================

    FF - ProfilePath - C:\Users\Anders\AppData\Roaming\Mozilla\Firefox\Profiles\kfc37tzv.default\
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdjvu.dll
    FF - plugin: C:\Program Files (x86)\Personal\bin\np_prsnl.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Netcraft Anti-Phishing Toolbar: {0e10f3d7-07f6-4f12-97b9-9b27e07139a5} - %profile%\extensions\{0e10f3d7-07f6-4f12-97b9-9b27e07139a5}

    ============= SERVICES / DRIVERS ===============

    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
    R2 APCPBEAgent;APC PBE Agent;C:\PROGRA~2\APC\POWERC~1\agent\pbeagent.exe [2010-2-25 28672]
    R2 APCPBEServer;APC PBE Server;C:\PROGRA~2\APC\POWERC~1\server\PBESER~1.EXE [2010-2-25 45134]
    R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.SYS [2009-11-29 11576]
    R2 Symantec AntiVirus;Symantec AntiVirus;C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe [2009-9-16 1961768]
    R2 WDDMService;WDDMService;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-11-8 288256]
    R2 WDFME;WD File Management Engine;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-11-8 1060352]
    R2 WDSC;WD File Management Shadow Engine;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-11-8 485376]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-6-11 132656]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-20 239616]
    R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2009-2-13 14464]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\System32\drivers\ivusb.sys [2010-3-10 29720]
    S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-23 1255736]

    =============== Created Last 30 ================

    2011-01-05 15:03:07 -------- d-----w- C:\Users\Anders\AppData\Roaming\Malwarebytes
    2011-01-05 15:03:03 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-05 15:03:03 -------- d-----w- C:\PROGRA~3\Malwarebytes
    2011-01-05 15:03:00 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-01-05 15:03:00 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-01-05 14:40:17 -------- d-----w- C:\Program Files\Western Digital
    2011-01-05 12:32:44 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2011-01-05 12:32:44 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
    2011-01-05 12:11:30 -------- d-----w- C:\Program Files (x86)\ProExp
    2010-12-15 03:25:17 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2010-12-15 03:25:17 2048 ----a-w- C:\Windows\System32\tzres.dll

    ==================== Find3M ====================

    2010-11-12 17:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
    2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
    2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
    2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
    2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
    2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
    2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
    2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
    2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
    2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
    2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
    2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
    2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
    2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
    2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
    2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll
    2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll

    ============= FINISH: 16:23:03,34 ===============





    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2009-11-28 17:43:33
    System Uptime: 2011-01-05 16:00:48 (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | M4A785TD-M EVO
    Processor: AMD Phenom(tm) II X2 550 Processor | AM3 | 3100/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 30,127 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM (UDF)
    F: is FIXED (NTFS) - 465 GiB total, 441,805 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP91: 2010-12-16 03:00:12 - Windows Update
    RP92: 2010-12-24 00:00:01 - Scheduled Checkpoint
    RP93: 2011-01-01 00:00:01 - Scheduled Checkpoint
    RP94: 2011-01-05 14:25:53 - Installed Java(TM) 6 Update 23
    RP95: 2011-01-05 15:39:04 - Installed WD Software Upgrader

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1 - Svenska
    APC PowerChute Business Edition Agent
    APC PowerChute Business Edition Console
    APC PowerChute Business Edition Server
    Apple Application Support
    Apple Software Update
    BankID säkerhetsprogram 4.10.4
    Brother P-touch Editor 5.0
    Compatibility Pack för Office 2007-systemet
    EssentialPIM Pro
    ImgBurn
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    Junk Mail filter update
    LiveUpdate 3.3 (Symantec Corporation)
    Lizardtech DjVu-kontroll
    Malwarebytes' Anti-Malware
    Microsoft Choice Guard
    Microsoft Office Professional Edition 2003
    Mozilla Firefox (3.6.13)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    QuickTime
    Realtek 8136 8168 8169 Ethernet Driver
    Samsung CLX-6240 Series
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live inloggningsassistenten
    Windows Live Mail
    Windows Live Upload Tool
    Visma Fakturering
    VLC media player 1.0.3

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to V&M, Per. I'll help with the malware problem.
    First, you should know that the Trojan.FakeAV!gen29 is a heuristic detection used to detect threats associated with the Trojan.FakeAV. family. Basically, this means that the malware has 'traits' that profile the FakeAV family, but this isn't specific.

    You should also be aware that the 'fake alert' malware does just as it's named: it's issues fake alerts to try and get the user to click on their program to remove the 'malware' and of course, at a cost. So please don't be deceived into acting on any of these 'alerts.'

    Are you having any other system problems in addition to the advertising popups? And are these popups the same or recommending the same product or site?

    Let's try and see if we can come up with a more specific malware name:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    It is also important that you do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Don't worry about GMER for now- evidence of a rootkit, if present, should show up in the Combofix log.
     
  3. Per Hansson

    Per Hansson TS Server Guru Topic Starter Posts: 1,929   +186

    Hi Bobbye and thanks for your quick reply!
    I ran the online antivirus scanner and it found no viruses, there was no logfile created in it's folder so I can't attach that...
    ComboFix log is attached below, it asked me to update which I did.
    A process named "pev.cfxxe" crashed 3 or 4 times during ComboFix scanning procedure!


    ComboFix 11-01-05.01 - Anders 2011-01-05 20:24:08.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.46.1033.18.3839.2289 [GMT 1:00]
    Körs från: c:\users\Anders\Downloads\Appz\Malware Scan Tools\ComboFix.exe
    AV: SymantecAntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: SymantecAntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    (((((((((((((((((((((((( Filer Skapade från 2010-12-05 till 2011-01-05 ))))))))))))))))))))))))))))))
    .

    2011-01-05 19:25 . 2011-01-05 19:25 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-05 18:10 . 2011-01-05 18:10 -------- d-----w- c:\program files (x86)\ESET
    2011-01-05 15:03 . 2011-01-05 15:03 -------- d-----w- c:\users\Anders\AppData\Roaming\Malwarebytes
    2011-01-05 15:03 . 2011-01-05 15:03 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-05 15:03 . 2010-12-20 17:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-05 15:03 . 2011-01-05 15:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-05 14:40 . 2011-01-05 14:40 -------- d-----w- c:\users\Default\AppData\Local\Western Digital
    2011-01-05 14:40 . 2011-01-05 14:40 -------- d-----w- c:\program files\Western Digital
    2011-01-05 13:26 . 2011-01-05 13:26 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-01-05 13:23 . 2011-01-05 13:23 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2011-01-05 12:32 . 2011-01-05 12:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-01-05 12:32 . 2011-01-05 12:36 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-01-05 12:11 . 2011-01-05 12:16 -------- d-----w- c:\program files (x86)\ProExp
    2010-12-15 03:25 . 2010-10-27 04:32 2048 ----a-w- c:\windows\SysWow64\tzres.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-12 17:53 . 2010-07-14 14:45 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    .

    (((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not* Tomma poster & legitima standardposter visas inte.
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 115560]
    "vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2009-09-16 136080]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-20 421888]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID s„kerhetsprogram.lnk - c:\program files (x86)\Personal\bin\Personal.exe [2009-11-28 939920]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-11-8 4236288]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 GPU-Z;GPU-Z;c:\users\Anders\AppData\Local\Temp\GPU-Z.sys [x]
    R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-10 29720]
    R3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\mtk.sys [x]
    R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-23 1255736]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]
    S2 APCPBEAgent;APC PBE Agent;c:\progra~2\APC\POWERC~1\agent\pbeagent.exe [2006-08-22 28672]
    S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 11576]
    S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-11-08 288256]
    S2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-11-08 1060352]
    S2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-11-08 485376]
    S3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-16 27536]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 132656]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2009-02-13 14464]

    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Extra genomsökning -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.se/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: E&xportera till Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Anders\AppData\Roaming\Mozilla\Firefox\Profiles\kfc37tzv.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Netcraft Anti-Phishing Toolbar: {0e10f3d7-07f6-4f12-97b9-9b27e07139a5} - %profile%\extensions\{0e10f3d7-07f6-4f12-97b9-9b27e07139a5}
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Sluttid: 2011-01-05 20:27:43
    ComboFix-quarantined-files.txt 2011-01-05 19:27

    Före genomsökningen: 31*524*569*088 byte ledigt
    Efter genomsökningen: 30*842*556*416 byte ledigt

    - - End Of File - - E2419B4A5002659F57FB3235AA1F28FF
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\Drivers\mtk.sys
    c:\users\Anders\AppData\Local\Temp\GPU-Z.sys
    
    Extra::
    File::
    c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile - c:\users\Anders\AppData\Roaming\Mozilla\Firefox\Profiles\kfc37tzv.default\
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    Driver::
    GPU-Z
    MTK
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Per, do you have any browser pages or tabs set to open blank?

    Regarding the processes that Symantic is calling Trojan.FakrAV!gen29:
    1. gcc.exe is a LinkSys Wireless LAN Helper
    2. GCG.EXE is described as Cloaked Malware by Prevx. But I don't see any indication of what it does on a system in your logs.
    3. But there is also a gcg.exe software package for SeqWeb 2.1 which is not malware.
    (http://www.hsc.wvu.edu/its/NetworkTelecom/Applications/WisconsinPkg/GeneralFAQS.aspx)
    4. There is also a Gcg Game Code Generator, not malware.
    5. Gsebaa appears to be related to LiquidPoker.

    So- are these entries related to any malware and why do they appear in the temp directory? The online virus scan is clean so unless you can give me more information such as the line from the Symantec AV log, I can't remove it.

    The Registry keys appear to have been cleaned in Mbam because they don't show up in Combofix- unless one of the licked keys comes up with it. I'll know that after you run the script and I see the log that is generated.
     
  5. Per Hansson

    Per Hansson TS Server Guru Topic Starter Posts: 1,929   +186

    Hi, I tried running the script however after reboot Symantec Corporate Antivirus could no longer be enabled, I got an error message from it saying that the registry was locked and to try it in admin mode instead...

    So I restored the system using the restore point created by ComboFix...
    I think the registry keys and files listed in that script are not dangerous anyway?
    I have not seen any more problems with the computer after the last fix 2 days ago (take on wood)
    Thank you for your help!

    Btw, here is the log from combofix, of course this has now been reverted by the restore point
    Also of note is that this time too the process "pev.cfxxe" crashed 4 times when ComboFix was running...

    Code:
    ComboFix 11-01-05.01 - Anders 2011-01-08  12:26:29.2.2 - x64
    Microsoft Windows 7 Ultimate   6.1.7600.0.1252.46.1033.18.3839.2333 [GMT 1:00]
    Körs från: c:\users\Anders\Downloads\Appz\Malware Scan Tools\ComboFix.exe
    Använda kommandoväxlar :: c:\users\Anders\Downloads\Appz\Malware Scan Tools\CFScript.txt
    AV: SymantecAntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: SymantecAntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
     * Skapade en ny återställningspunkt
    
    FILE ::
    "c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}"
    "c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
    "c:\users\Anders\AppData\Local\Temp\GPU-Z.sys"
    "c:\windows\system32\Drivers\mtk.sys"
    .
    
    (((((((((((((((((((((((((((((((((((((((   Andra raderingar   ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    .
    (((((((((((((((((((((((((((((((((((((((   Drivrutiner/Tjänster   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    -------\Legacy_GPU-Z
    -------\Service_GPU-Z
    -------\Service_MTK
    
    
    ((((((((((((((((((((((((   Filer Skapade från 2010-12-08 till 2011-01-08  ))))))))))))))))))))))))))))))
    .
    
    2011-01-05 19:17 . 2011-01-05 19:18	--------	d-----w-	c:\users\Anders\AppData\Local\Microsoft Games
    2011-01-05 15:03 . 2011-01-05 15:03	--------	d-----w-	c:\users\Anders\AppData\Roaming\Malwarebytes
    2011-01-05 15:03 . 2011-01-05 15:03	--------	d-----w-	c:\programdata\Malwarebytes
    2011-01-05 15:03 . 2010-12-20 17:09	38224	----a-w-	c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-05 15:03 . 2011-01-05 15:03	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-05 14:40 . 2011-01-05 14:40	--------	d-----w-	c:\users\Default\AppData\Local\Western Digital
    2011-01-05 14:40 . 2011-01-05 14:40	--------	d-----w-	c:\program files\Western Digital
    2011-01-05 13:26 . 2011-01-05 13:26	--------	d-----w-	c:\program files (x86)\Common Files\Java
    2011-01-05 13:23 . 2011-01-05 13:23	--------	d-----w-	c:\program files (x86)\Common Files\Adobe
    2011-01-05 12:32 . 2011-01-05 12:56	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
    2011-01-05 12:32 . 2011-01-05 12:36	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy
    2011-01-05 12:11 . 2011-01-05 12:16	--------	d-----w-	c:\program files (x86)\ProExp
    2010-12-15 03:25 . 2010-10-27 04:32	2048	----a-w-	c:\windows\SysWow64\tzres.dll
    
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-12 17:53 . 2010-07-14 14:45	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
    .
    
    (((((((((((((((((((((((((((((   SnapShot@2011-01-05_19.25.59   )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2011-01-05 19:13	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2011-01-08 04:00	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2011-01-05 19:13	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-01-08 04:00	32768              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-01-08 04:00	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-01-05 19:13	16384              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-28 17:40 . 2011-01-05 22:39	28594              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-01-05 22:39	36420              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2011-01-05 17:06	36420              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2009-11-28 16:54 . 2011-01-05 17:04	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-28 16:54 . 2011-01-08 11:29	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-28 16:54 . 2011-01-05 17:04	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-28 16:54 . 2011-01-08 11:29	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-11-28 16:54 . 2011-01-05 17:04	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-28 16:54 . 2011-01-08 11:29	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-28 17:17 . 2011-01-08 11:29	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-28 17:17 . 2011-01-05 17:04	16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-28 17:17 . 2011-01-08 11:29	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-28 17:17 . 2011-01-05 17:04	16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-28 17:18 . 2011-01-05 22:39	6328              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3047995339-1605019612-1699802844-1001_UserData.bin
    + 2011-01-08 11:29 . 2011-01-08 11:29	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-01-05 17:04 . 2011-01-05 17:04	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-01-08 11:29 . 2011-01-08 11:29	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-01-05 17:04 . 2011-01-05 17:04	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-11-28 18:01 . 2011-01-05 22:42	625500              c:\windows\system32\perfh01D.dat
    - 2009-11-28 18:01 . 2011-01-05 17:08	625500              c:\windows\system32\perfh01D.dat
    - 2009-07-14 02:36 . 2011-01-05 17:08	615810              c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-01-05 22:42	615810              c:\windows\system32\perfh009.dat
    + 2009-11-28 18:01 . 2011-01-05 22:42	123668              c:\windows\system32\perfc01D.dat
    - 2009-11-28 18:01 . 2011-01-05 17:08	123668              c:\windows\system32\perfc01D.dat
    - 2009-07-14 02:36 . 2011-01-05 17:08	106190              c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2011-01-05 22:42	106190              c:\windows\system32\perfc009.dat
    + 2011-01-05 15:00 . 2011-01-05 22:37	162400              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2011-01-05 15:00 . 2011-01-05 17:01	162400              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2009-07-14 02:34 . 2011-01-05 16:37	10223616              c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-07-14 02:34 . 2011-01-07 19:33	10223616              c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    .
    ((((((((((((((((((((((((((((((((((   Startpunkter i registret   )))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Not*  Tomma poster & legitima standardposter visas inte. 
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-05-04 115560]
    "vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2009-09-16 136080]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-09-20 421888]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BankID s„kerhetsprogram.lnk - c:\program files (x86)\Personal\bin\Personal.exe [2009-11-28 939920]
    WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-11-8 4236288]
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-03-10 29720]
    R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-23 1255736]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]
    S2 APCPBEAgent;APC PBE Agent;c:\progra~2\APC\POWERC~1\agent\pbeagent.exe [2006-08-22 28672]
    S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 11576]
    S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-11-08 288256]
    S2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2010-11-08 1060352]
    S2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2010-11-08 485376]
    S3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-16 27536]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 132656]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2009-02-13 14464]
    
    .
    
    --------- x86-64 -----------
    
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF10517.cfxxe" [X]
    .
    ------- Extra genomsökning -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.se/
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: E&xportera till Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Anders\AppData\Roaming\Mozilla\Firefox\Profiles\kfc37tzv.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Netcraft Anti-Phishing Toolbar: {0e10f3d7-07f6-4f12-97b9-9b27e07139a5} - %profile%\extensions\{0e10f3d7-07f6-4f12-97b9-9b27e07139a5}
    .
    .
    --------------------- LÅSTA REGISTERNYCKLAR ---------------------
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Andra processer som körs ------------------------
    .
    c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    c:\progra~2\APC\POWERC~1\server\PBESER~1.EXE
    c:\program files (x86)\Symantec AntiVirus\DefWatch.exe
    c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe
    c:\program files (x86)\Symantec AntiVirus\VPTray.exe
    .
    **************************************************************************
    .
    Sluttid: 2011-01-08  12:31:19 - datorn startades om.
    ComboFix-quarantined-files.txt  2011-01-08 11:31
    
    Före genomsökningen: 32*687*841*280 byte ledigt
    Efter genomsökningen: 32*202*153*984 byte ledigt
    
    - - End Of File - - 74F99AB6FADC0F32D04C3EECFD44BD72
    
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry to hear you did a System Restore. That is not wise to do while cleaning as often malware removed from the system resides in a restore point. As long as that particular restore point isn't used (no way to tell easily) it will not reinfect the system.. We have old restore points dropped at end of cleaning.

    Many are getting the "pev.cfxxe" error message. The most common cause right now is a rootkit and many have this on the system. It can sometimes also be caused by an active security system.

    Please tell me how you want to proceed. If you feel your problem has been resolved>>>>
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  7. Per Hansson

    Per Hansson TS Server Guru Topic Starter Posts: 1,929   +186

    Okay, the restore point I used was the one created by ComboFix at the time I ran it.
    I did not know what kind of registry key it was that we deleted (d-word, string etc) otherwise I would just have created it manually but since I didn't know what type it was I felt it better to do a restore...

    How can I troubleshoot the "pev.cfxxe" error?
    I tried googling it but not much info comes up, what kind of rootkit could cause it? (Note that Symantec Corporate Antivirus was disabled at the time of ComboFix running and "pev.cfxxe" crashing).
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well you see first hand that I do loos a thread occasionally! Sorry about that.

    C:\Combo Fix\pev.cfxxe <--Is a part of combofix. If you have not uninstalled Combofix, try the scan again and see if it will run. I have also done searches on 'pev.cfxxe' to determine cause and resolution but like you, not much came up. It ran for you initially- were you logged on under the same account when you went to do the script?
     
  9. Per Hansson

    Per Hansson TS Server Guru Topic Starter Posts: 1,929   +186

    Hi Bobbye, no worries in the reply time :)
    As I wrote in my initial post I got the pev.cfxxe error then too...
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Per, do a search for Combofix.exe IF you find it, do a right click> Delete.
    You can try Combofix again and see if that makes the difference.

    Do you feel there is any malware on the system?
     
  11. Per Hansson

    Per Hansson TS Server Guru Topic Starter Posts: 1,929   +186

    Hi Bobbye, I think the system is clean.
    I will be going on a business trip for a week now so will not have time to look into this more right now
    I think you can put this topic as solved :)

    Thank you!
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for the update Per.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...