Thread: Fake Windows Security Message
View Single Post
Join Date: Feb 2008
Posts: 10
Reputation: mg555 is an unknown quantity at this point 
Solved Threads: 0
mg555 mg555 is offline Offline
Newbie Poster

Re: Fake Windows Security Message

 
0
  #5
Mar 4th, 2008
My computer's going nuts -- it took me several tries to run ComboFix, I finally had to go through safemode to get a log. It now crashes "explorer.exe" after like 10-20 minutes of using the computer, and I'm left with just a blank desktop screen. And CTRL+ALT+DEL is "disabled by the administrator"

I'm trying to get an HJT log, if my computer stops being so fussy. Here's the log CF spit out, the fake security message is still popping up:

-------------

ComboFix 08-03-01 - Administrator 2008-03-04 0:43:21.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.778 [GMT -5:00]
Running from: C:\Documents and Settings\Mahmood\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-02-29 21:38 . 2008-03-03 23:52 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-02-29 14:05 . 2008-02-29 14:05 78,336 --a------ C:\WINDOWS\system32\rxjddnvj.exe
2008-02-29 14:05 . 2008-02-29 17:06 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-02-28 14:04 . 2008-02-28 14:04 18,026 ---hs---- C:\WINDOWS\system32\drivers\spools.exe
2008-02-28 14:04 . 2008-03-03 23:52 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-02-28 14:04 . 2008-03-03 23:52 5,120 --a------ C:\Documents and Settings\Mahmood\ftpdll.dll
2008-02-28 02:39 . 2008-02-28 02:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-02-28 02:32 . 2008-02-28 02:41 3,826 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-28 01:16 . 2008-03-03 23:52 5,632 --ahs---- C:\WINDOWS\system32\mswfp.dll
2008-02-27 23:56 . 2008-02-27 23:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-27 23:56 . 2008-02-28 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 23:45 . 2008-02-27 23:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-22 07:11 . 2004-08-04 07:00 24,576 --a------ C:\WINDOWS\system32\userini.exe
2008-02-22 07:11 . 2008-02-22 07:11 16,384 --a------ C:\Documents and Settings\Mahmood\~.exe
2008-02-19 08:05 . 2008-02-19 08:05 <DIR> d-------- C:\Program Files\Orbit Downloader
2008-02-19 08:05 . 2008-03-03 21:01 <DIR> d-------- C:\Documents and Settings\Mahmood\Application Data\Orbit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 04:53 --------- d-----w C:\Documents and Settings\Mahmood\Application Data\OpenOffice.org2
2008-02-29 00:03 --------- d-----w C:\Program Files\uTorrent
2008-02-27 21:47 --------- d-----w C:\Documents and Settings\Mahmood\Application Data\uTorrent
2008-02-22 12:11 16,384 ----a-w C:\WINDOWS\system32\userinit.exe
2008-02-22 12:11 16,384 ----a-w C:\Documents and Settings\Mahmood\~.exe
2008-02-20 05:59 --------- d-----w C:\Documents and Settings\Mahmood\Application Data\dvdcss
2008-02-07 23:39 --------- d-----w C:\Documents and Settings\Mahmood\Application Data\U3
2008-02-06 22:39 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-05 20:57 --------- d-----w C:\Program Files\Western Digital Technologies
2008-01-04 22:18 --------- d-----w C:\Program Files\Skype
2008-01-04 22:18 --------- d-----w C:\Program Files\RM Converter
2008-01-04 22:18 --------- d-----w C:\Program Files\Real
2008-01-04 22:17 --------- d-----w C:\Program Files\PeerGuardian2
2008-01-04 22:16 --------- d-----w C:\Program Files\Cheat Engine
2007-12-07 04:38 18,074,624 ----a-w C:\VeohSetup-3.7.1.1044.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-07-30 10:28 0 ----a-w C:\Program Files\license.dat
2007-09-26 17:05 16,487 --sh--w C:\WINDOWS\system32\helped.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26 606208]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 11:33 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-04-25 09:28 77824]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 09:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 09:02 126976]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 13:29 35328]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-20 20:06 185896]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-06-12 09:36 151552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-04 09:33 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 22:24 620152]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2003-12-15 13:36 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2003-12-15 13:37 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-12-15 13:38 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2003-12-15 13:38 455168]

C:\Documents and Settings\Mahmood\Start Menu\Programs\Startup\
FileBox eXtender.lnk - C:\Program Files\FileBX\FileBX.exe [2007-08-22 18:50:28 512000]
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 15:54:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SleepApp"= {C315CF32-135F-3112-31AC-F611D777C63D} - C:\WINDOWS\system32\sleep32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Documents and Settings\\Mahmood\\My Documents\\Downloads\\Age of Empires 2 & Expansion\\age2_x1.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Documents and Settings\\Mahmood\\My Documents\\Downloads\\Age of Empires 2 & Expansion\\empires2.exe"=
"C:\\Program Files\\Maple 10\\jre\\bin\\maple.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Documents and Settings\\Mahmood\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\helped.exe"=
"C:\\Program Files\\Orbit Downloader\\orbitdm.exe"=
"C:\\Program Files\\Orbit Downloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"47624:TCP"= 47624:TCP:Age of Empires 2
"53695:TCP"= 53695:TCP:uTorrent
"55543:TCP"= 55543:TCP:UTorrent

R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2001-04-16 05:54]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 20:37:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 00:46:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-04 0:48:21
ComboFix-quarantined-files.txt 2008-03-04 05:47:28
ComboFix2.txt 2008-03-04 05:40:04
.
2008-02-13 08:15:58 --- E O F ---