Fake XP Antivirus 2012 Please read hijackThis v2.0.4

[oilspill]

Please read the log and give me some feedback when possible, my system is not connecting to the internet and I am getting a fake XP Antivirus 2012 window that says my system is infected. I am running Mcafee software and it seems to be running correct, but i have no accesss to the web. Please help. Thank You Very much.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:02:42 PM, on 12/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Andre\Desktop\HiJackThis.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Andre\Local Settings\Application Data\oix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110509112233.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.fdipowersystem.com
O15 - Trusted Zone: http://browser.skillport.com
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: Sqlseses - sqlesw32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7598 bytes

 

[DFW]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post the required log/s in the forum and wait for help.

Hi oilspill and welcome..

I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:

• The fixes are specific to your problem and should only be used for this issue on this machine!.
• The clean up process can take time. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Some of the Logs we ask for can take some time to Analise, so please be patient
• This may or may not, solve other issues you have with your machine.

Going over your log, be back as soon as possible

 

[DFW]

Hi oilspill

Your log shows signs of a nasty infection, but I would like you to run a scan to confirm this, as you do not have internet connection
you are going to need to use a second system to download this tool and then transfer it to the infected system.

place it on your desktop to run the scan, if however you find you cannot run the scan boot into safe mode and try again, if you need to
boot into safe mode the instructions are at the bottom of this post.



Download Kaspersky Virus Removal Tool to your Desktop.

• Run the programme you have just downloaded (it will be randomly named).
• Click the cog in the upper right.

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threats report from the left and press Save button
• Save it to your desktop and attach to your next post

Safe mode instructions

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

Please post back the kaspersky log.

 

[oilspill]

I tried several times in safe mode and before the log could be recovered the fake antivirus 2012 would interfere. I have no log to submit. I will wait for further instructions. Thank You.

OILSpill

 

[DFW]

Hi oilspill


It sounds like you were able to run the kaspersky tool but unable to copy the log, is that right?

Do you still not have a internet connection??




Run combofix below, However if it will not run in normal mode please run it in safe mode.


Download ComboFix from here to your Desktop.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix.

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  

  For instructions on how to disable your security programs, please see this topic below
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, we must have this pre-installed on your machine before doing any malware removal.
  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  Click on Yes, to continue scanning for malware.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


Post back Combofix Log and answers to questions.

 

[oilspill]

ComboFix 11-12-06.02 - Andre 12/07/2011 10:52:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.320 [GMT -8:00]
Running from: H:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Andre\Application Data\PriceGong
c:\documents and settings\Andre\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\4436.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Andre\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Andre\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Andre\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Andre\g2mdlhlpx.exe
c:\documents and settings\Andre\Local Settings\Application Data\oix.exe
c:\documents and settings\Harumi\Local Settings\Application Data\Skype\Phone\Skype.exe
c:\windows\$NtUninstallKB52782$\22007649\@
c:\windows\$NtUninstallKB52782$\22007649\bckfg.tmp
c:\windows\$NtUninstallKB52782$\22007649\cfg.ini
c:\windows\$NtUninstallKB52782$\22007649\Desktop.ini
c:\windows\$NtUninstallKB52782$\22007649\keywords
c:\windows\$NtUninstallKB52782$\22007649\kwrd.dll
c:\windows\$NtUninstallKB52782$\22007649\L\ojnomkzu
c:\windows\$NtUninstallKB52782$\22007649\lsflt7.ver
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
c:\windows\$NtUninstallKB52782$\4289545692
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\$NtUninstallKB52782$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Service_MyWebSearchService
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 18:48 . 2011-12-07 18:48 -------- d--h--w- c:\windows\$hf_mig$
2011-12-07 08:29 . 2011-12-07 08:29 -------- d-----w- c:\documents and settings\Administrator
2011-12-02 00:47 . 2011-12-02 00:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-01 10:28 . 2011-12-01 10:29 355 ----a-w- c:\documents and settings\Andre\fix.reg
2011-12-01 10:11 . 2011-12-01 10:11 -------- d-----w- c:\documents and settings\Andre\Application Data\Qualys
2011-11-28 19:06 . 2011-11-28 19:06 -------- d-----w- c:\windows\Sun
2011-11-23 07:58 . 2011-11-30 06:06 -------- d-----w- c:\windows\srchasst
2011-11-15 06:16 . 2011-11-15 06:16 -------- d-----w- c:\program files\iPod
2011-11-15 06:06 . 2011-11-15 06:06 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2001-12-07 08:49 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-03 23:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-14 21:40 . 2011-06-10 14:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-27 03:34 . 2011-09-14 06:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 21:01 . 2011-05-09 18:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
""NoLowDiscSpaceChecks""= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/9/2011 10:22 AM 84200]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [5/9/2011 10:22 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [5/9/2011 9:31 AM 148520]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/9/2011 10:22 AM 56064]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/9/2011 10:22 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/9/2011 10:22 AM 88736]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/9/2011 10:22 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/9/2011 10:22 AM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2010-04-22 c:\windows\Tasks\Creative Diagnostics Agent.job
- c:\progra~1\Creative\SBLive\DIAGNO~1\diagent.exe [2009-02-05 09:01]
.
2011-12-07 c:\windows\Tasks\User_Feed_Synchronization-{815C80E9-85DC-4EB6-B284-5BE3F16A91F7}.job
- c:\windows\system32\msfeedssync.exe [2001-12-07 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: fdipowersystem.com\www
Trusted Zone: navy.mil\chart.donhr
Trusted Zone: skillport.com\browser
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Andre\Application Data\Mozilla\Firefox\Profiles\ftdtl9qx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2416161&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
Notify-Sqlseses - sqlesw32.dll
MSConfigStartUp-MozillaAgent - c:\windows\Temp\_ex-68.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 11:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,41,3e,d7,1d,45,2c,47,ae,de,03,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,41,3e,d7,1d,45,2c,47,ae,de,03,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-07 11:48:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 19:48
.
Pre-Run: 32,125,825,024 bytes free
Post-Run: 32,623,595,520 bytes free
.
- - End Of File - - C2EC828DE03C212DCA6CC122D0C5297E

 

[DFW]

Hi oilspill

Thank you for the Combofix Log, can you answer questions from my last post.


It sounds like you were able to run the kaspersky tool but unable to copy the log, is that right?

Do you still not have a internet connection??


.................

 

[oilspill]

I downloaded Kapersky from another computer and installed on desktop via thumbdrive.

The internet is up, thanks to the Combofix, after the combofix log I have rebooted computer and I was able to go online. I will wait for your reply. Thank You.

 

[DFW]

Hi oilspill, That's great


Run a ESET online scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Windows Vista or Windows 7 users, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• First please Disable any Antivirus you have active, as shown in This topic.
• Note: Don't forget to re-enable it after the scan.
• Next hold down Control then click on the following link to open a new window to ESET online scannner
• Select the option YES, I accept the Terms of Use then click on Start.
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on Start.
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on Finish.
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

 

[oilspill]

I did not save the log I copied it to the desktop but I cannot open it. should I run eset scan again.
Thank You.

 

[DFW]

Ok it is very important that we see this log, this log will open in a plain note pad file so there should be no problem posting this one.


Download and Run MalwareBytes' Anti-Malware It is free for home use.
Please go here to the Download Location, click on Download in the Free column..
When the next page comes up, click on the Download Now button.

• After clicking on the download and choosing Save, the "Save to location" dialog will come up.
• Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
• You should now have a desktop icon named mbam-setup.exe. (If the download was saved somewhere else, locate it and copy or move it to your desktop).
• Double Click the download to run the installer.
• Let it install where it wants to, with the default settings, and click Finish.
• If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
• If necessary, start Malwarebytes Anti-Malware again.
  (You can Decline any Offer for a Trial if you don't want the paid version)
• Once the program has started up, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
• The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

Post back MalwareBytes Log.

 

[oilspill]

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8344
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/9/2011 2:48:15 PM
mbam-log-2011-12-09 (14-48-15).txt
Scan type: Quick scan
Objects scanned: 223318
Time elapsed: 7 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Andre\Local Settings\Application Data\owf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\mozilla firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

[oilspill]

The Mozilla web pages load faster than the Internet Explorer, is this an indication that I should use mozilla only? I am very pleased with the help you have provided, I am probably almost healed. Thanks, I will wait for further detail.

 

[DFW]

• Please run the kaspersky antivirus-removal-tool again.
• Click the cog in the upper right.

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threats report from the left and press Save button
• Save it to your desktop and attach to your next post

Please download DDS by sUBs from one of the links below, save it to your Desktop (Note: It must be in this location).

• Link 1
• Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Post back

Both DDS Logs
kaspersky Log

 

[oilspill]

Status: Deleted (events: 3)
12/10/2011 9:31:36 PM Deleted Trojan program Trojan-FakeAV.Win32.PrivacyProtection.p C:\System Volume Information\_restore{280BADB9-A587-4C99-A273-2F657C8A3869}\RP974\A0084100.lnk High
12/10/2011 8:47:37 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Andre\Application Data\Sun\Java\Deployment\cache\6.0\49\2e677631-415862b0 High
12/10/2011 7:47:33 PM Deleted virus HEUR:Trojan.Win32.Generic c:\WINDOWS\system32\drivers\netbt.sys High
Status: Disinfected (events: 1)
12/10/2011 7:38:02 PM Disinfected virus Virus.Win32.RLoader.a c:\WINDOWS\system32\drivers\acpi.sys High