Solved "Security Alert" for Malware.Win32/Caphaw

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
I dont know that the warning is legitimate or if that is the actual malware.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
RogueKiller.png
Scan with RogueKiller

Please download RogueKiller and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on
    RogueKiller.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait patiently until the pre-scan will be done. It shouldn't take more than 2-3 minutes.
  • Accept the Terms of use.
  • When the Scan button becomes available, please click it. RogueKiller will start a full scan.
  • Let this process run uninterrupted!.
  • When finished, a Report button will become available. Click it. You will be presented with a logfile.
Please include the content of this logfile in your next reply.
 

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
RogueKiller V9.2.13.0 [Sep 25 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/30/2014 03:00:33

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5C9D76E0-5E7F-41A7-B018-F5B59ADD252E} | DhcpNameServer : 62.24.0.88 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5C9D76E0-5E7F-41A7-B018-F5B59ADD252E} | DhcpNameServer : 62.24.0.88 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-336245490-3187525355-3437165606-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-336245490-3187525355-3437165606-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \\Secure Fast PC Auto Updater -- C:\Users\Owner\AppData\Roaming\Developerts LLC USA\SFPC Auto Updater.exe (AUTOCHECK) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD7500BPVX-55JC3T0 +++++
--- User ---
[MBR] 27ee968de3ef38376e67b99d05e0310e
[BSP] 04efd4031027dc0565de81a1030fc5c2 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK
 

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
Still getting the popup. Looks like I'll have to do a wipe and clean install.
 

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
Windows defender is disabled by Win 8.1 because Kaspersky is installed. The popup is being generated by malware trying to fool the user into paying for their fake service.
They are prompting to call 1-800-935-0716 which is a fake company as far as I can tell called pcsargent.com
 

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
I do see some strange software in the roguekiller scan called SFPC Auto Updater.exe
It's from Developerts LLC USA

Is that in any way legitimate?
looks like the same scam company to me.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
I think I found it:


FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.





51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
 

Attachments

  • fixlist.txt
    1.1 KB · Views: 137

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
Well that took care of the Developerts stuff as well. So far the popup has not reoccurred.
Here are the logs:

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-09-2014 02
Ran by Owner at 2014-09-30 16:44:48 Run:1
Running from C:\Users\Owner\Desktop
Loaded Profile: Owner (Available profiles: Owner & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
closeprocesses:
emptytemp:
2014-09-20 23:44 - 2014-09-20 23:44 - 00000000 ____D () C:\Users\Owner\AppData\Local\SFPC_Auto_Updater
2014-09-20 22:38 - 2014-09-28 18:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\now-download-free bundle
2014-09-20 22:37 - 2014-09-20 23:08 - 00003926 _____ () C:\WINDOWS\System32\Tasks\Optimum_Daily
2014-09-20 22:37 - 2014-09-20 23:07 - 00003496 _____ () C:\WINDOWS\System32\Tasks\Optimum_LogOn
2014-09-20 22:37 - 2014-09-20 22:38 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\OptimumPcBoost
2014-09-20 22:31 - 2014-09-27 16:47 - 00000000 ____D () C:\Program Files\WinPcap
2014-09-20 22:29 - 2014-09-20 22:29 - 00003998 _____ () C:\WINDOWS\System32\Tasks\Secure Fast PC Auto Updater
2014-09-20 22:29 - 2014-09-20 22:29 - 00003554 _____ () C:\WINDOWS\System32\Tasks\Secure Fast PC Autorun
2014-09-20 22:29 - 2014-09-20 22:29 - 00000000 ____D () C:\Users\Owner\AppData\Local\IsolatedStorage
2014-09-20 22:28 - 2014-09-21 22:08 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Developerts LLC USA
2014-09-20 22:28 - 2014-09-20 22:28 - 00000000 ____D () C:\Users\Owner\AppData\Local\Developerts_LLC
*****************

Processes closed successfully.
C:\Users\Owner\AppData\Local\SFPC_Auto_Updater => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\now-download-free bundle => Moved successfully.
C:\WINDOWS\System32\Tasks\Optimum_Daily => Moved successfully.
C:\WINDOWS\System32\Tasks\Optimum_LogOn => Moved successfully.
C:\Users\Owner\AppData\Roaming\OptimumPcBoost => Moved successfully.
C:\Program Files\WinPcap => Moved successfully.
C:\WINDOWS\System32\Tasks\Secure Fast PC Auto Updater => Moved successfully.
C:\WINDOWS\System32\Tasks\Secure Fast PC Autorun => Moved successfully.
C:\Users\Owner\AppData\Local\IsolatedStorage => Moved successfully.
C:\Users\Owner\AppData\Roaming\Developerts LLC USA => Moved successfully.
C:\Users\Owner\AppData\Local\Developerts_LLC => Moved successfully.
EmptyTemp: => Removed 13.3 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====


Malwarebites log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2014-09-30
Scan Time: 5:11:27 PM
Logfile: mbites log.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.30.08
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372373
Time Elapsed: 11 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Very good, then we're done :)


Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself :)


Recommended reading:
icon_exclaim.gif
MUST READ - security tips:

icon_exclaim.gif
MUST READ - general maintenance:


The Importance of Software Updating:

In order to stay protected it is
very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.




Recommended additional software:
icon_arrow.gif
TFC - to clean unneeded temporary files.
icon_arrow.gif
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gif
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gif
McShield - to prevent infections spread by removable media.
icon_arrow.gif
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.
icon_arrow.gif
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gif
FiheHippo.com Update Checker - to keep your programs up-to-date.
icon_arrow.gif
Adblock - to surf the web without annoying ads!



Post-cleanup procedures:


Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    51a5ce45263de-delfix.png
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.



My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​




Stay safe,
TwinHeadedEagle :)
 
  • Like
Reactions: Kent

jjdid

New Member
Thread author
Verified
Sep 28, 2014
21
Thanks for all the help. I was unable to harden the laptop because I was heading out of town and gave it back to the friend I was helping out. Will try to followup and do a clean up though I did do a clean up myself manually,certainly nothing as good or thorough as I'm sure your methods are.
Really appreciate it. Thanks again for your help.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top