PDA

View Full Version : Problem is I'm not on secure mode on a finantial site


Guy19550
2011-09-26, 15:28
Last time, the bank said to me : do the windows update. Problem was the same as now, an not recognised certificate. But before I have a detection with spybot who cames back after every sart.

Last time updates didn't help and from this forum we found a rookerskit.

I'm buzy with all the updates but I presume it didn't help again.

I us google chrome (not IE) but google chrome use the certificates of IE.

This is the DDS og file :


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Guy at 14:09:24 on 2011-09-26
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.1012.349 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\DOSPRN\DOSprn.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Guy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\windows-kb890830-v4.0.exe
c:\d1d90775e96d7cde67f1\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Totalcmd\TOTALCMD.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.bing.com/sphome.aspx?mkt={SUB_RFC1766}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Google Update] "c:\documents and settings\guy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Ulead Memory Card Detector] c:\program files\ulead systems\ulead photo explorer 7.0\Monitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache
mRunOnce: [KB976002-v5] c:\windows\system32\browserchoice.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\guy\menudm~1\progra~1\dmarra~1\dosprn.lnk - c:\program files\dosprn\DOSprn.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1317033637343
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{661452A4-378D-4299-B5A4-D8A0877BC0D7} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-16 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-16 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-16 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-16 42184]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-21 14976]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-6-24 113664]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [2010-6-23 363904]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\drivers\RtsPStor.sys [2010-6-24 230944]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-6-23 1323296]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-16 136176]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-6-24 227896]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-16 136176]
.
=============== Created Last 30 ================
.
2011-09-26 12:07:56 -------- d-----w- C:\d1d90775e96d7cde67f1
2011-09-26 11:30:53 -------- d-----w- c:\windows\ie8updates
2011-09-26 11:24:07 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2011-09-26 11:24:02 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-09-26 11:24:02 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2011-09-26 11:23:56 293376 ------w- c:\windows\system32\browserchoice.exe
2011-09-26 11:23:41 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2011-09-26 11:23:19 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2011-09-26 11:23:03 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-26 11:22:27 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-09-26 11:20:50 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2011-09-26 11:19:42 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2011-09-26 11:19:40 354304 ----a-w- c:\windows\system32\SET45A.tmp
2011-09-26 11:19:40 354304 ------w- c:\windows\system32\dllcache\winhttp.dll
2011-09-26 11:18:24 337408 ----a-w- c:\windows\system32\SET279.tmp
2011-09-26 11:18:24 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-09-26 11:18:23 692736 ------w- c:\windows\system32\dllcache\inetcomm.dll
2011-09-26 11:11:22 -------- d-----w- c:\windows\system32\PreInstall
2011-09-26 11:11:20 -------- d--h--w- c:\windows\$hf_mig$
2011-09-26 11:07:01 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-09-09 09:12:01 606208 ----a-w- c:\windows\system32\SET8EF.tmp
2011-09-09 09:12:01 606208 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-07-25 15:09:56 5969920 ----a-w- c:\windows\system32\SET106.tmp
2011-07-21 04:47:58 69632 ----a-w- c:\windows\uinst001.exe
2011-07-17 16:59:08 408 ----a-w- C:\Data.bat
2011-07-16 23:42:44 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2009-11-10 20:23:34 7100928 ----a-w- c:\program files\PocketDivXEncoder_0.3.96.exe
2008-12-01 04:09:48 305664 ----a-w- c:\program files\Xtremsplit1.2.exe
2008-02-10 14:33:58 253952 ----a-w- c:\program files\file_recovery.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 22:00:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 14:16:16,32 ===============

And I find nothing for information of a new rookerskit on a new PC

Am I clean ?

Thanks for help

All the updates don't help the problem and I restored the old partition (without updates. Updates are not the problem, there must be something elsewhere.

RootAlyser found nothing abnormal.

Here is an image of the problem (not secure on banksite) :

http://i53.tinypic.com/dy249d.jpg

Hoping this image could help to find a solution.

----------------------------------------------------
Edit
Posting additional comments or logs before a volunteer responds can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count, they look for topics with a 0 response. For that reason we may merge such posts but please do not count on it.http://forums.spybot.info/showthread.php?t=288
Guy19550
2011-09-30, 06:44
Two days later : No acces more on a second securisate banking site. I need a solution.

Solution was partialy became with tdsskiller (found on your site). End of log file is here:

02:50:41.0000 3884 Detected object count: 4
02:50:41.0000 3884 Actual detected object count: 4
02:50:59.0828 3884 HKLM\SYSTEM\ControlSet001\services\Aspi32 - will be deleted on reboot
02:50:59.0859 3884 HKLM\SYSTEM\ControlSet002\services\Aspi32 - will be deleted on reboot
02:50:59.0875 3884 C:\WINDOWS\system32\drivers\Aspi32.sys - will be deleted on reboot
02:50:59.0875 3884 Aspi32 ( UnsignedFile.Multi.Generic ) - User select action: Delete
02:50:59.0875 3884 HKLM\SYSTEM\ControlSet001\services\ialm - will be deleted on reboot
02:50:59.0890 3884 HKLM\SYSTEM\ControlSet002\services\ialm - will be deleted on reboot
02:50:59.0890 3884 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys - will be deleted on reboot
02:50:59.0890 3884 ialm ( UnsignedFile.Multi.Generic ) - User select action: Delete
02:50:59.0890 3884 HKLM\SYSTEM\ControlSet001\services\SBKUPNT - will be deleted on reboot
02:50:59.0890 3884 HKLM\SYSTEM\ControlSet002\services\SBKUPNT - will be deleted on reboot
02:50:59.0906 3884 C:\WINDOWS\system32\Drivers\SBKUPNT.SYS - will be deleted on reboot
02:50:59.0906 3884 SBKUPNT ( UnsignedFile.Multi.Generic ) - User select action: Delete
02:50:59.0906 3884 HKLM\SYSTEM\ControlSet001\services\StarOpen - will be deleted on reboot
02:50:59.0906 3884 HKLM\SYSTEM\ControlSet002\services\StarOpen - will be deleted on reboot
02:50:59.0906 3884 C:\WINDOWS\system32\drivers\StarOpen.sys - will be deleted on reboot
02:50:59.0906 3884 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Delete
02:51:02.0734 3312 Deinitialize success

Without suppretion, no acces on securisate site of second banking site. But it did not resolve the first problem.

For the initial problem, I used rootsupd.exe (after Genuinetest) from Microsoft website. (better than 2GB ridiculous updates)

I made a new image of the partition and it works now after flashing back the image.

Maybe some others programs don't work now, I hope not !!!