Highlighted
PeterE32
1 Nickel

Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

Hi all,

Some malware has somehow got through McAffee and installed itself my home computer.  This has happened in the last few days.  I'm not sure how it actually got on here.

The effects so far have been:

1.) Installation of 'Antivirus System Pro'.  This program cannot be closed on the taskbar and constant warns of 'virus threats' by a dialog box popping up every few seconds. It has dramatically affected the performance of the PC.  

2.) Frequent pop-up advertisements in IE - these began approx one day before Antivirus System Pro installed itself.

3.) When trying to run HiJack This has suggested in the forum, Antivirus System Pro has managed to stop it from running and/or prevented notepad from opening.  I did a quick google search and about this malware and found that if I ended the process sysguard.exe in task manager, AntiVirus System Pro closes and permitted me to perform the analysis of the logs.

4.) THEREFORE, THE LOG  POSTED BELOW HAS BEEN RUN WITHOUT 'SYSGUARD.EXE' RUNNING. 

5.) As I write this log, McAfee has warned that a trojan has tried to install itself.  I presume this is AntiVirus System Pro re-installing/activating itself again, following me ending the sysguard.exe just a few minutes ago in order to run HiJack This.

The computer runs Windows XP. 

I would really value your expert help in removing this malware from my PC.

Kind regards,

Peter

I post the HiJack this log below as requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:43:38, on 03/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msa.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\ld12.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Documents and Settings\Peter\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226425545515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} (LoaderOnline Class) - https://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap/2.6.8.744/BootstrapXP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68B052B7-C01A-4E54-BCD8-08551377DCF2}: NameServer = 212.139.132.4 212.139.132.5
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: dlcf_device -   - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 11488 bytes

 

0 Kudos
11 Replies
8 Krypton

Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

Hi Peter,

Welcome. Thank you for using Dell Community Forums.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Please rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or something similar)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.
That will keep the Backups Folder in the same directory with the HijackThis tool.

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

I look forward to your reply so we can begin cleaning.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

 

 


Windows Insider MVP 2016 -

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
PeterE32
1 Nickel

Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

Hi Bugbatter.

Many thanks for your response and assistance.

Please see my response below.

Many thanks in advance,

Peter

* Please rightclick on an empty space on your desktop and choose New > Folder
Name it HijackThis (HJT, or something similar)
Rightclick HijackThis.exe, choose Cut.
Doubleclick (to open) the folder you created.
Rightclick inside and choose Paste.
That will keep the Backups Folder in the same directory with the HijackThis tool.

Done

* Have you have posted this issue on another forum? If so, please provide a link to the topic. No - this is the first forum

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.  I have not disabled system restore.  Could you confirm how I can check that it is definitely enabled? Also, should I set a system restore point before cleaning?

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

I have no such software installed.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

I don't have any P2P software installed.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

This computer belongs to me.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved. Will do.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean. Will do

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

I have McAfee installed which is currently active.  I will keep the protection on unless you advise otherwise.

 

0 Kudos
8 Krypton

Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

Thank you for the info. We may have to temporarily disable or uninstall McAfee so it does not interfere with our tools, but I'll let you know as we go along if that will be necessary.

We need to see some additional information about what is happening in your machine.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • Click Yes at the prompt for Optional Scan.
  • When done, DDS will open two (2) logs
  • 1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop.
  • Copy/paste both logs to your reply on the forum.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.


    Windows Insider MVP 2016 -

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos
    PeterE32
    1 Nickel

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    Hi Bugbatter,

    Thanks for your timely response. I have followed your instructions.  I did not need to disable script protection nor did I need to disable McAffee (don't know if that information helps or not!)

    Please see my responses below - just to note, that 'sysguard.exe' was NOT running, as was the case when I ran the Hijack This log (this is the .exe I believe is causing the main problems with the virus).  Let me know if you would like me to restart and run either/both with this process running.

    Kind regards,

    Peter

    DDS


    DDS (Ver_09-06-26.01) - NTFSx86 
    Run by Peter at 12:49:42.46 on 03/07/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.525 [GMT 1:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated)   {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled*   {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\msa.exe
    C:\WINDOWS\system32\dllhost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    svchost
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\LVComS.exe
    C:\Program Files\Logitech\Video\LowLight.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Documents and Settings\Peter\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [STManager] "c:\program files\speedtouch\dr speedtouch\drst.exe" -b
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LowRiskFileTypes] c:\windows\sysguard.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
    mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [<NO NAME>]
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
    mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
    mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
    mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
    mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
    mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
    mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [sysldtray] c:\windows\ld12.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [FlashPlayerUpdate] c:\progra~1\mozill~1\plugins\GetFlash.exe -p
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
    uPolicies-system: EnableProfileQuota = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226425545515
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} - hxxps://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap/2.6.8.744/BootstrapXP.cab
    TCP: {68B052B7-C01A-4E54-BCD8-08551377DCF2} = 212.139.132.4 212.139.132.5
    Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\peter\applic~1\mozilla\firefox\profiles\l94qdhjx.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
    FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-27 214024]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 210216]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-27 359952]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-27 144704]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-27 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-27 79880]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-27 35272]
    R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-27 34216]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-27 40552]
    S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-14 29744]

    =============== Created Last 30 ================

    2009-07-02 22:03    2    a-------    c:\windows\0101120101465749.dat
    2009-07-02 22:02    1    ----h---    c:\windows\bf23567.dat
    2009-07-02 22:02    65,536    a-------    c:\windows\freddy49.exe
    2009-07-02 21:02    2    a-------    c:\windows\010112010146118114.dat
    2009-07-02 21:01    306,432    a-------    c:\windows\sysguard.exe
    2009-07-02 21:00    31,232    --------    c:\windows\ld12.exe
    2009-06-28 13:26    117,252    a-------    c:\windows\msa.exe
    2009-06-12 11:05    244    a---h---    C:\sqmnoopt06.sqm
    2009-06-12 11:05    232    a---h---    C:\sqmdata06.sqm

    ==================== Find3M  ====================

    2009-05-20 17:40    5,018    a--sh---    c:\windows\system32\KGyGaAvL.sys
    2009-05-07 16:32    345,600    a-------    c:\windows\system32\localspl.dll
    2009-05-07 16:32    345,600    --------    c:\windows\system32\dllcache\localspl.dll
    2009-04-29 05:56    827,392    a-------    c:\windows\system32\wininet.dll
    2009-04-29 05:56    827,392    a-------    c:\windows\system32\dllcache\wininet.dll
    2009-04-29 05:56    233,472    --------    c:\windows\system32\dllcache\webcheck.dll
    2009-04-29 05:56    1,159,680    a-------    c:\windows\system32\dllcache\urlmon.dll
    2009-04-29 05:56    671,232    a-------    c:\windows\system32\dllcache\mstime.dll
    2009-04-29 05:56    44,544    a-------    c:\windows\system32\dllcache\pngfilt.dll
    2009-04-29 05:56    105,984    --------    c:\windows\system32\dllcache\url.dll
    2009-04-29 05:56    102,912    --------    c:\windows\system32\dllcache\occache.dll
    2009-04-29 05:56    3,596,288    a-------    c:\windows\system32\dllcache\mshtml.dll
    2009-04-29 05:56    477,696    a-------    c:\windows\system32\dllcache\mshtmled.dll
    2009-04-29 05:56    193,024    a-------    c:\windows\system32\dllcache\msrating.dll
    2009-04-28 10:05    70,656    --------    c:\windows\system32\dllcache\ie4uinit.exe
    2009-04-28 10:05    13,824    --------    c:\windows\system32\dllcache\ieudinit.exe
    2009-04-25 06:27    636,088    --------    c:\windows\system32\dllcache\iexplore.exe
    2009-04-25 06:26    161,792    --------    c:\windows\system32\dllcache\ieakui.dll
    2009-04-17 13:26    1,847,168    a-------    c:\windows\system32\win32k.sys
    2009-04-17 13:26    1,847,168    --------    c:\windows\system32\dllcache\win32k.sys
    2009-04-15 15:51    585,216    a-------    c:\windows\system32\rpcrt4.dll
    2009-04-15 15:51    585,216    --------    c:\windows\system32\dllcache\rpcrt4.dll
    2008-09-06 20:16    32,768    a--sh---    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

    ============= FINISH: 12:51:09.25 ===============

    Attach


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-06-26.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 19/06/2006 22:35:07
    System Uptime: 07/03/2009 09:28:41 (2835 hours ago)

    Motherboard: Dell Inc.           |  | 0HJ054
    Processor:               Intel(R) Pentium(R) D CPU 3.00GHz | Microprocessor | 2992/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 144 GiB total, 115.525 GiB free.
    😧 is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP678: 04/04/2009 19:11:14 - System Checkpoint
    RP679: 05/04/2009 19:18:48 - System Checkpoint
    RP680: 06/04/2009 21:16:24 - System Checkpoint
    RP681: 08/04/2009 09:52:55 - System Checkpoint
    RP682: 09/04/2009 15:07:00 - System Checkpoint
    RP683: 10/04/2009 18:14:51 - System Checkpoint
    RP684: 11/04/2009 19:30:23 - System Checkpoint
    RP685: 12/04/2009 19:46:21 - System Checkpoint
    RP686: 13/04/2009 20:31:29 - System Checkpoint
    RP687: 14/04/2009 21:07:54 - System Checkpoint
    RP688: 15/04/2009 22:36:43 - Software Distribution Service 3.0
    RP689: 16/04/2009 10:40:43 - Software Distribution Service 3.0
    RP690: 17/04/2009 10:43:38 - System Checkpoint
    RP691: 18/04/2009 12:40:31 - System Checkpoint
    RP692: 19/04/2009 13:29:10 - System Checkpoint
    RP693: 26/04/2009 16:03:52 - System Checkpoint
    RP694: 27/04/2009 17:05:03 - System Checkpoint
    RP695: 28/04/2009 17:15:19 - System Checkpoint
    RP696: 29/04/2009 17:47:27 - System Checkpoint
    RP697: 29/04/2009 22:06:08 - Software Distribution Service 3.0
    RP698: 01/05/2009 10:46:03 - System Checkpoint
    RP699: 02/05/2009 10:55:38 - System Checkpoint
    RP700: 03/05/2009 13:09:47 - System Checkpoint
    RP701: 04/05/2009 15:45:31 - System Checkpoint
    RP702: 05/05/2009 16:19:01 - System Checkpoint
    RP703: 06/05/2009 16:19:46 - System Checkpoint
    RP704: 07/05/2009 21:23:51 - System Checkpoint
    RP705: 08/05/2009 22:11:11 - System Checkpoint
    RP706: 10/05/2009 13:14:42 - System Checkpoint
    RP707: 11/05/2009 16:57:04 - System Checkpoint
    RP708: 12/05/2009 17:15:53 - System Checkpoint
    RP709: 13/05/2009 17:59:50 - System Checkpoint
    RP710: 13/05/2009 22:06:08 - Software Distribution Service 3.0
    RP711: 15/05/2009 12:01:36 - System Checkpoint
    RP712: 17/05/2009 18:06:02 - System Checkpoint
    RP713: 18/05/2009 19:25:33 - System Checkpoint
    RP714: 20/05/2009 09:57:01 - System Checkpoint
    RP715: 22/05/2009 06:39:27 - System Checkpoint
    RP716: 23/05/2009 15:05:47 - System Checkpoint
    RP717: 25/05/2009 11:09:06 - System Checkpoint
    RP718: 26/05/2009 13:04:06 - System Checkpoint
    RP719: 27/05/2009 13:16:05 - System Checkpoint
    RP720: 30/05/2009 11:38:05 - System Checkpoint
    RP721: 01/06/2009 10:54:30 - System Checkpoint
    RP722: 03/06/2009 21:51:54 - System Checkpoint
    RP723: 05/06/2009 15:32:23 - System Checkpoint
    RP724: 06/06/2009 21:00:41 - System Checkpoint
    RP725: 08/06/2009 15:47:20 - System Checkpoint
    RP726: 09/06/2009 15:51:59 - System Checkpoint
    RP727: 10/06/2009 17:50:28 - System Checkpoint
    RP728: 11/06/2009 18:52:48 - System Checkpoint
    RP729: 11/06/2009 21:20:23 - Software Distribution Service 3.0
    RP730: 13/06/2009 09:51:46 - System Checkpoint
    RP731: 14/06/2009 11:07:22 - System Checkpoint
    RP732: 17/06/2009 08:33:19 - System Checkpoint
    RP733: 18/06/2009 14:41:19 - System Checkpoint
    RP734: 19/06/2009 15:17:02 - System Checkpoint
    RP735: 20/06/2009 15:20:57 - System Checkpoint
    RP736: 21/06/2009 15:41:59 - System Checkpoint
    RP737: 22/06/2009 16:41:29 - System Checkpoint
    RP738: 23/06/2009 16:42:32 - System Checkpoint
    RP739: 24/06/2009 18:24:20 - System Checkpoint
    RP740: 25/06/2009 18:36:47 - System Checkpoint
    RP741: 26/06/2009 21:44:30 - System Checkpoint
    RP742: 28/06/2009 10:34:05 - System Checkpoint
    RP743: 29/06/2009 10:48:56 - System Checkpoint
    RP744: 30/06/2009 11:23:39 - System Checkpoint
    RP745: 01/07/2009 11:56:44 - System Checkpoint
    RP746: 02/07/2009 12:48:15 - System Checkpoint

    ==== Installed Programs ======================

    725plc32
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.0
    AOL Coach Version 1.0(Build:20040229.1 uk)
    AOL Connectivity Services
    AOL Spyware Protection
    AOL UK (Choose which version to remove)
    AOL You've Got Pictures Screensaver
    Apple Mobile Device Support
    Apple Software Update
    ARTEuro
    Bonjour
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    Classic PhoneTools
    Conexant D850 56K V.9x DFVc Modem
    Corel Paint Shop Pro X
    Corel Photo Album 6
    Dell CinePlayer
    Dell Color Printer 725
    Dell Driver Reset Tool
    Dell Support 5.0.0 (630)
    Dell System Restore
    Digital Line Detect
    Dr SpeedTouch
    GemMaster Mystic
    Google Desktop
    Google Earth
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix 2050 for SQL Server 2000 ENU (KB948110)
    Hotfix 2055 for SQL Server 2000 ENU (KB960082)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB952287)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    Interactive Bookkeeping Tutor (version 4)
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Learn2 Player (Uninstall Only)
    Logitech QuickCam
    McAfee SecurityCenter
    McAfee Uninstaller
    MCU
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Outlook 2003 with Business Contact Manager Update
    Microsoft Office Small Business Edition 2003
    Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
    Modem Helper
    Mozilla Firefox (3.0.11)
    Mozilla Thunderbird (2.0.0.22)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    NetWaiting
    Otto
    QuickTime
    RealPlayer Basic
    Roxio DLA
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Search Assist
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Sonic Activation Module
    Sonic Encoders
    Sonic Update Manager
    SpeedTouch USB Software
    Tiscali Internet
    Update for Windows Media Player 10 (KB910393)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    URL Assistant
    Viewpoint Media Player
    Wanadoo Europe Installer
    WebCam for MSN Messenger
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Media Format Runtime
    Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB912067
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    27/06/2009 00:12:33, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the dlcf_device service to connect.
    27/06/2009 00:12:33, error: Service Control Manager [7000]  - The dlcf_device service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
    27/06/2009 00:12:33, error: DCOM [10005]  - DCOM got error "%1053" attempting to start the service dlcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E441060}
    02/07/2009 22:05:55, error: Service Control Manager [7031]  - The McAfee Real-time Scanner service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================

    0 Kudos
    8 Krypton

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    I can see the malware in there. Let's try scanning with MBAM. * If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned below to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "lookinhere.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the files to the infected computer. Install the "lookinhere.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

      Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2

    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.

    MBAM will automatically start and you will be asked to update the program before performing a scan.

    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the updates,
    • manually download them from here
      and just double-click on mbam-rules.exe to install.
      Alternatively, you can update through MBAM's interface from a clean computer,
      copy the definitions (rules.ref) located in
      C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
      Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

    On the Scanner tab:

    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top.
    • It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully.
    • Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.

    Back at the main Scanner screen:

    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report along with a fresh HijackThis log into your next reply and exit MBAM.

    Note:-- If MBAM encounters a file that is difficult to remove,
    you may be asked to reboot your computer so it can proceed with the disinfection process.
    Regardless if prompted to restart the computer or not, please do so immediately.
    Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

    -- MBAM may make changes to your registry as part of its disinfection routine.
    If you're using other security programs that detect registry changes (like Spybot's Teatimer),
    they may interfere with the fix or alert you after scanning with MBAM.
    Please disable such programs until disinfection is complete or permit them to allow the changes.

     

    **If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE


    Windows Insider MVP 2016 -

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos
    PeterE32
    1 Nickel

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    Hi Bugbatter,

    I have followed your instructions.  MBAM found several items which it removed, some after a reboot.

    After the re-boot, the fake anti-virus software does not appear to have loaded (which I hope is a good sign!).

    Please see below the MBAM log and updated HiJackThis log below.

    Many thanks for your help.

    Peter

    MBAM log

    Malwarebytes' Anti-Malware 1.38
    Database version: 2368
    Windows 5.1.2600 Service Pack 3

    03/07/2009 15:02:42
    mbam-log-2009-07-03 (15-02-42).txt

    Scan type: Quick Scan
    Objects scanned: 126296
    Time elapsed: 10 minute(s), 9 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    C:\WINDOWS\msa.exe (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\msa.exe (Trojan.Downloader) -> Delete on reboot.
    c:\WINDOWS\freddy49.exe (Net-Worm.Win32.Koobface) -> Quarantined and deleted successfully.
    c:\documents and settings\Peter\local settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\WINDOWS\ld12.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
    C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
    c:\WINDOWS\0101120101465749.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

     

    HiJack this log (Ran after MBAM removed all items found and after reboot)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:28:32, on 03/07/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16850)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\LVComS.exe
    C:\Program Files\Logitech\Video\LowLight.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Peter\Desktop\HiJack This\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-inc&channel=uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226425545515
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E33968CE-FF77-4DC3-A052-2921C0D60177} (LoaderOnline Class) - https://www.remotecontrol26.co.uk/dms%20website/kiosk/Bootstrap/2.6.8.744/BootstrapXP.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{68B052B7-C01A-4E54-BCD8-08551377DCF2}: NameServer = 212.139.132.4 212.139.132.5
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: dlcf_device -   - C:\WINDOWS\system32\dlcfcoms.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    --
    End of file - 11562 bytes

    0 Kudos
    8 Krypton

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    You were another victim of koobface (the Facebook worm):  http://www.kaspersky.com/news?id=207575670 

    It might be good to change your Facebook password as well as any others that you are concerned abou...

    You have Viewpoint installed. Viewpoint developed a behavioral targeting product in 2006. Viewpoint is associated with a program called viewmgr.exe and the ViewPoint Media Player.
    Viewpoint is bundled with AOL, AOL Instant Messenger, Adobe Atmosphere, Netscape 7, etc and sometimes not mentioned in the license agreement. Hardware manufacturers pre-install some of these applications.
    ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers. The Viewpoint Toolbar is listed is also classified as a threat in the CounterSpy Threat Library because it hijacks your search queries and also transmits non personally identifiable information back to their servers.
    Viewpoint Manager is a media player often bundled with AIM software. Viewpoint Manager is a useless add on.
    Because Viewpoint's software will track your web surfing and tailor advertisements based on the web pages you are visiting, I suggest you remove the program.
    ** Note: Removing Viewpoint Media Player may cause the program that bundled it to not function as intended. For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
    If you wish to remove Viewpoint, end process on ViewManager in Task Manager.
    Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

    • Viewpoint
    • Viewpoint Manager
    • Viewpoint Media Player
    • Viewpoint Toolbar
    • Viewpoint Experience Technology

    Then remove the Viewpoint folder in your Program Files.

    Run Disk Cleanup in each user's profile: Click "Start > Programs > Accessories > System Tools > Disk Cleanup" Please make sure only the following are checked:

    -- Downloaded Program Files

    -- Temporary Internet Files

    -- Recycle Bin

    -- Temporary Files

    Click "OK" and Disk Cleanup will delete those files for you.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

    • Download the latest version of Java Runtime Environment (JRE) 6.
    • Scroll down to where it says Java SE Runtime Environment (JRE) 6 Update 14 .
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove

      Java 2 Runtime Environment, SE v1.4.2_03

    • Click the Remove or Change/Remove button.
    • Close Add/Remove.

    • * In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders.
      * Do NOT delete C:\Program Files\JavaVM =this folder, if found!
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.

    Delete the downloaded installation file after completing the above procedure and reboot if not prom...

    Let me know how things are running after that. If all seems to be back to normal we'll flush System Restore and you'll be good to go.


    Windows Insider MVP 2016 -

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos
    PeterE32
    1 Nickel

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    Hi Bugbatter,

    Thanks so much for your expert and professional assistance here.  I have followed your instructions as above.

    Passwords - I will change going forward

    Viewpoint - Thanks for the heads up, I have removed

    Disk Clean up - Done

    Java - I have followed the procedure to bring me up to date

    At present, I see no indication that the fake anti-virus program is present nor have I received any pop-ups since running MBAM. So fingers crossed, the problem has gone.

    So hopefully we can flush system restore now. 

    Kind regards.

    Tom

     

    0 Kudos
    8 Krypton

    Re: Antivirus System PRO (fake anti-virus) taking over computer and causing multiple pop-ups - assistance required to remove

    Good job!  emoticon.Smile.title

    If everything is still running well....

    Please flush the XP System Restore Points: (Using XP, you must be logged in as Administrator to do this.)

    Go to Start>Run and type msconfig Press enter.

    When msconfig opens, click the Launch System Restore Button.

    On the next page, click the System Restore Settings Link on the left.

    Check the box labeled Turn Off System Restore.

    Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

    Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

    If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

    The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:


    1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS. Microsoft's widows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

    2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.

    3.You might consider installing Mozilla / Firefox.
    http://www.mozilla.com/en-US/

    4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

    5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists. http://www.spywarewarrior.com/rogue_anti-spyware.htm http://www.malwarebytes.org/database.php

    6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

    7.Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Red for Warning = STOP
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown

    There is a Web Of Trust version for Firefox as well.

     

    8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    It will:
    Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
    Restrict the actions of potentially unwanted sites in Internet Explorer.
    Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
    Periodically check for updates

    9. Here are some helpful articles:
    "How did I get infected?"
    http://www.bleepingcomputer.com/forums/topic2520.html


    "I'm not pulling your leg, honest"
    by Sandi Hardmeier
    http://www.microsoft.com/windows/IE/community/columns/pulling.mspx


    Windows Insider MVP 2016 -

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos