1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Fake XP Antivirus 2012 Please read hijackThis v2.0.4

Discussion in 'Virus & Other Malware Removal' started by oilspill, Dec 5, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    Please read the log and give me some feedback when possible, my system is not connecting to the internet and I am getting a fake XP Antivirus 2012 window that says my system is infected. I am running Mcafee software and it seems to be running correct, but i have no accesss to the web. Please help. Thank You Very much.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:02:42 PM, on 12/5/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\tlntsvr.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Documents and Settings\Andre\Desktop\HiJackThis.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Andre\Local Settings\Application Data\oix.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: ::1 localhost
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110509112233.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - (no file)
    O2 - BHO: (no name) - {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.fdipowersystem.com
    O15 - Trusted Zone: http://browser.skillport.com
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - Winlogon Notify: Sqlseses - sqlesw32.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

    --
    End of file - 7598 bytes
     
  2. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi oilspill and welcome..

    I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:
    • The fixes are specific to your problem and should only be used for this issue on this machine!.
    • The clean up process can take time. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Refrain from running self fixes as this will hinder the malware removal process.
    • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
    • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    • Some of the Logs we ask for can take some time to Analise, so please be patient
    • This may or may not, solve other issues you have with your machine.


    Going over your log, be back as soon as possible
     
  3. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi oilspill

    Your log shows signs of a nasty infection, but I would like you to run a scan to confirm this, as you do not have internet connection
    you are going to need to use a second system to download this tool and then transfer it to the infected system.

    place it on your desktop to run the scan, if however you find you cannot run the scan boot into safe mode and try again, if you need to
    boot into safe mode the instructions are at the bottom of this post.



    Download Kaspersky Virus Removal Tool to your Desktop.
    • Run the programme you have just downloaded (it will be randomly named).
    • Click the cog in the upper right.
    [​IMG]

    Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

    [​IMG]
    • Allow Virus Removal Tool to delete all infections found
    • Once it has finished select report tab (last tab)
    • Select Detected threats report from the left and press Save button
    • Save it to your desktop and attach to your next post




    Safe mode instructions
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.



    Please post back the kaspersky log.
     
  4. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    I tried several times in safe mode and before the log could be recovered the fake antivirus 2012 would interfere. I have no log to submit. I will wait for further instructions. Thank You.

    OILSpill
     
  5. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi oilspill


    It sounds like you were able to run the kaspersky tool but unable to copy the log, is that right?

    Do you still not have a internet connection??




    Run combofix below, However if it will not run in normal mode please run it in safe mode.


    Download ComboFix from here to your Desktop.

    Please visit this webpage for instructions for downloading and running ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix.


    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, we must have this pre-installed on your machine before doing any malware removal.
      It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper



    Post back Combofix Log and answers to questions.
     
  6. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    ComboFix 11-12-06.02 - Andre 12/07/2011 10:52:22.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.320 [GMT -8:00]
    Running from: H:\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Andre\Application Data\PriceGong
    c:\documents and settings\Andre\Application Data\PriceGong\Data\1.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\4436.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\a.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\b.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\c.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\d.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\e.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\f.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\g.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\h.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\i.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\j.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\k.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\l.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\m.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Andre\Application Data\PriceGong\Data\n.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\o.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\p.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\q.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\r.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\s.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\t.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\u.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\v.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\w.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\wlu.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\x.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\y.txt
    c:\documents and settings\Andre\Application Data\PriceGong\Data\z.txt
    c:\documents and settings\Andre\g2ax_customer_downloadhelper_win32_x86.exe
    c:\documents and settings\Andre\g2mdlhlpx.exe
    c:\documents and settings\Andre\Local Settings\Application Data\oix.exe
    c:\documents and settings\Harumi\Local Settings\Application Data\Skype\Phone\Skype.exe
    c:\windows\$NtUninstallKB52782$\22007649\@
    c:\windows\$NtUninstallKB52782$\22007649\bckfg.tmp
    c:\windows\$NtUninstallKB52782$\22007649\cfg.ini
    c:\windows\$NtUninstallKB52782$\22007649\Desktop.ini
    c:\windows\$NtUninstallKB52782$\22007649\keywords
    c:\windows\$NtUninstallKB52782$\22007649\kwrd.dll
    c:\windows\$NtUninstallKB52782$\22007649\L\ojnomkzu
    c:\windows\$NtUninstallKB52782$\22007649\lsflt7.ver
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\22007649\U\[email protected]
    c:\windows\$NtUninstallKB52782$\4289545692
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\wpcap.dll
    c:\windows\$NtUninstallKB52782$ . . . . Failed to delete
    .
    Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Legacy_NPF
    -------\Service_MyWebSearchService
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-07 18:48 . 2011-12-07 18:48 -------- d--h--w- c:\windows\$hf_mig$
    2011-12-07 08:29 . 2011-12-07 08:29 -------- d-----w- c:\documents and settings\Administrator
    2011-12-02 00:47 . 2011-12-02 00:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-12-01 10:28 . 2011-12-01 10:29 355 ----a-w- c:\documents and settings\Andre\fix.reg
    2011-12-01 10:11 . 2011-12-01 10:11 -------- d-----w- c:\documents and settings\Andre\Application Data\Qualys
    2011-11-28 19:06 . 2011-11-28 19:06 -------- d-----w- c:\windows\Sun
    2011-11-23 07:58 . 2011-11-30 06:06 -------- d-----w- c:\windows\srchasst
    2011-11-15 06:16 . 2011-11-15 06:16 -------- d-----w- c:\program files\iPod
    2011-11-15 06:06 . 2011-11-15 06:06 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-10 14:22 . 2001-12-07 08:49 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-03 23:56 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 18:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 18:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-14 21:40 . 2011-06-10 14:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-27 03:34 . 2011-09-14 06:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 21:01 . 2011-05-09 18:22 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"="shell32" [X]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    ""NoLowDiscSpaceChecks""= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [5/9/2011 10:22 AM 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2011 10:22 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [5/9/2011 10:22 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [5/9/2011 9:31 AM 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [5/9/2011 10:22 AM 56064]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [5/9/2011 10:22 AM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [5/9/2011 10:22 AM 88736]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [5/9/2011 10:22 AM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [5/9/2011 10:22 AM 84488]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    Sqlses REG_MULTI_SZ SqlCSS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2010-04-22 c:\windows\Tasks\Creative Diagnostics Agent.job
    - c:\progra~1\Creative\SBLive\DIAGNO~1\diagent.exe [2009-02-05 09:01]
    .
    2011-12-07 c:\windows\Tasks\User_Feed_Synchronization-{815C80E9-85DC-4EB6-B284-5BE3F16A91F7}.job
    - c:\windows\system32\msfeedssync.exe [2001-12-07 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: fdipowersystem.com\www
    Trusted Zone: navy.mil\chart.donhr
    Trusted Zone: skillport.com\browser
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Andre\Application Data\Mozilla\Firefox\Profiles\ftdtl9qx.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2416161&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
    Notify-Sqlseses - sqlesw32.dll
    MSConfigStartUp-MozillaAgent - c:\windows\Temp\_ex-68.exe
    AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-07 11:41
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,41,3e,d7,1d,45,2c,47,ae,de,03,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6e,41,3e,d7,1d,45,2c,47,ae,de,03,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3968)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\wpdshserviceobj.dll
    c:\windows\system32\portabledevicetypes.dll
    c:\windows\system32\portabledeviceapi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\netdde.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    c:\windows\system32\MsPMSPSv.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\windows\system32\rundll32.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-07 11:48:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-07 19:48
    .
    Pre-Run: 32,125,825,024 bytes free
    Post-Run: 32,623,595,520 bytes free
    .
    - - End Of File - - C2EC828DE03C212DCA6CC122D0C5297E
     
  7. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi oilspill

    Thank you for the Combofix Log, can you answer questions from my last post.


    It sounds like you were able to run the kaspersky tool but unable to copy the log, is that right?

    Do you still not have a internet connection??



    .................
     
  8. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    I downloaded Kapersky from another computer and installed on desktop via thumbdrive.

    The internet is up, thanks to the Combofix, after the combofix log I have rebooted computer and I was able to go online. I will wait for your reply. Thank You.
     
  9. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Hi oilspill, That's great


    Run a ESET online scan

    You can use either Internet Explorer or Mozilla FireFox for this scan.

    Windows Vista or Windows 7 users, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • First please Disable any Antivirus you have active, as shown in This topic.
    • Note: Don't forget to re-enable it after the scan.
    • Next hold down Control then click on the following link to open a new window to ESET online scannner
    • Select the option YES, I accept the Terms of Use then click on Start.
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Now click on Start.
    • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on Finish.
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.
     
  10. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    I did not save the log I copied it to the desktop but I cannot open it. should I run eset scan again.
    Thank You.
     
  11. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    Ok it is very important that we see this log, this log will open in a plain note pad file so there should be no problem posting this one.


    Download and Run MalwareBytes' Anti-Malware It is free for home use.
    Please go here to the Download Location, click on Download in the Free column..
    When the next page comes up, click on the Download Now button.
    • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
    • Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
    • You should now have a desktop icon named mbam-setup.exe. (If the download was saved somewhere else, locate it and copy or move it to your desktop).
    • Double Click the download to run the installer.
    • Let it install where it wants to, with the default settings, and click Finish.
    • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
    • If necessary, start Malwarebytes Anti-Malware again.
      (You can Decline any Offer for a Trial if you don't want the paid version)
    • Once the program has started up, select Perform Quick Scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
    • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

    Post back MalwareBytes Log.
     
  12. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org
    Database version: 8344
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    12/9/2011 2:48:15 PM
    mbam-log-2011-12-09 (14-48-15).txt
    Scan type: Quick scan
    Objects scanned: 223318
    Time elapsed: 7 minute(s), 39 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Andre\Local Settings\Application Data\owf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\program files\mozilla firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
     
  13. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    The Mozilla web pages load faster than the Internet Explorer, is this an indication that I should use mozilla only? I am very pleased with the help you have provided, I am probably almost healed. Thanks, I will wait for further detail.
     
  14. DFW

    DFW Malware Specialist

    Joined:
    Jun 12, 2004
    Messages:
    1,458
    • Please run the kaspersky antivirus-removal-tool again.
    • Click the cog in the upper right.
    [​IMG]

    Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

    [​IMG]
    • Allow Virus Removal Tool to delete all infections found
    • Once it has finished select report tab (last tab)
    • Select Detected threats report from the left and press Save button
    • Save it to your desktop and attach to your next post



    Please download DDS by sUBs from one of the links below, save it to your Desktop (Note: It must be in this location).
    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply



    Post back

    Both DDS Logs
    kaspersky Log
     
  15. oilspill

    oilspill Thread Starter

    Joined:
    Dec 5, 2011
    Messages:
    23
    Status: Deleted (events: 3)
    12/10/2011 9:31:36 PM Deleted Trojan program Trojan-FakeAV.Win32.PrivacyProtection.p C:\System Volume Information\_restore{280BADB9-A587-4C99-A273-2F657C8A3869}\RP974\A0084100.lnk High
    12/10/2011 8:47:37 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Andre\Application Data\Sun\Java\Deployment\cache\6.0\49\2e677631-415862b0 High
    12/10/2011 7:47:33 PM Deleted virus HEUR:Trojan.Win32.Generic c:\WINDOWS\system32\drivers\netbt.sys High
    Status: Disinfected (events: 1)
    12/10/2011 7:38:02 PM Disinfected virus Virus.Win32.RLoader.a c:\WINDOWS\system32\drivers\acpi.sys High
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1029850

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice