Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Z

z7301

3 Posts

2995

June 13th, 2009 19:00

Fake antivirus software: "System Security Version 4.51" Need help in removal

 

Heres the basic overview: its a virus and or trojan that stop me from view almost any exacutable file on my computer, such as my current anti virus software and my registry cleaner, unless I run them as administrator. I've tried general scans and scans in safe mode which has removed most of the problems for a short period of time before the software popups reappear. so far nothing is truly getting rid of the soft ware and i would like help in locating the source of the problem.

I would like to know the best course of action in my computers current state which, although stable, is still constantly bonbared and blocked by the software offers from "System Security Version 4.51".

I'll post updates of logfiles i've collected with HijackThis v2.0:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:18 PM, on 6/13/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\ProgramData\17783024\17783024.exe
C:\ProgramData\97793016\97793016.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: UrlHelper Class - {6D023EBF-70B8-45A6-9ED5-556515FA0FE4} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: BearSharePersonalization - {DD1849EA-8403-4441-8DFF-7575AAE1DC16} - C:\Program Files\BearShare Applications\Personalization\BearSharePersonalizationIE_v1053.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: XBTP02634 Class - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file)
O3 - Toolbar: Starware Smileytown Toolbar - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BSMediaBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\Windows\p_981116.exe /Q:A
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [spc1000] C:\Windows\vspc1000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [17783024] C:\ProgramData\17783024\17783024.exe
O4 - HKLM\..\Run: [97793016] C:\ProgramData\97793016\97793016.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: VPro1000.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O22 - SharedTaskScheduler: apathies - {aed6f6a3-183c-488d-9f90-23db99f56e7f} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11896 bytes
Please respond if you can help.

Bugbatter

20.5K Posts

June 13th, 2009 21:00

Hi, Welcome :emotion-1:

Have you been doing file sharing?

Try going to Task Manager and ending process on these two (They will probably be listed by just the long numbers).:

C:\ProgramData\17783024\17783024.exe
C:\ProgramData\97793016\97793016.exe

Try scans with these two programs in the following order:

Please disable other security software that may cause conflicts with the scans. (Don't forget to enable it afterward.)

Instructions on how to do that are HERE.

Please download to your desktop Malwarebytes' Anti-Malware from Here or Here 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checkedPhotobucket
    Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Notes:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
* If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use this update link here to manually download the update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "catchjunk.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the file to the infected computer. Install the "catchjunk.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from http://www.malwarebytes.org/mbam-clean.exe

 

Download and scan with Super Anti-Spyware Free for Home Users. It is available HERE:
*Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

If that does not fix the problem, it might be good to post a log for review on the Malware Removal Forum.

Be sure to read instructions at the top of the forum.

 

 

z7301

3 Posts

June 14th, 2009 12:00

Heres what I found:

Malwarebytes' Anti-Malware 1.37
Database version: 2276
Windows 6.0.6001 Service Pack 1

6/14/2009 1:12:53 PM
mbam-log-2009-06-14 (13-12-53).txt

Scan type: Quick Scan
Objects scanned: 148769
Time elapsed: 1 hour(s), 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ad-protect.addin (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bbbd3e11-d201-46c9-8471-091d33159287} (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d2c1986a-fbec-4472-aabf-6d42f08dbc8e} (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dbe5bee8-f032-11db-826a-c4bb56d89593} (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ea038ddd-0fe0-41f5-ba60-fc3660529e71} (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca356d79-679b-4b4c-8e49-5af97014f4c1} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Ad-Protect.Addin.1 (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\AdLoader (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Trace7 (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell\1das (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell\dnl7 (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cvpro.server (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cvpro.server.1 (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17783024 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{8d8c2387-7f80-4022-9be6-43630a969558} (Trojan.Smitfraud) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\17783024 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\program files\SpywareLocked 3.5 (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\program files\spywarelocked 3.5\Logs (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\program files\spywarelocked 3.5\Quarantine (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\AdProtect NoSpam (Rogue.AdProtect) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\ContraVirus AntiSpam (Rogue.ContraVirus) -> Delete on reboot.
C:\Program Files\Video ActiveX Object (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Video Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\17783024\17783024.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\Windows\System32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-182471719-1105721001-1160810384-1007\$RJBHM3G.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\program files\spywarelocked 3.5\blacklist.txt (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\program files\spywarelocked 3.5\sl.dat (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\program files\spywarelocked 3.5\SpywareLocked 3.5.url (Rogue.SpywareLocked) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\adprotect nospam\Settings.xml (Rogue.AdProtect) -> Quarantined and deleted successfully.
c:\program files\video activex object\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\video add-on\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\video add-on\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\microsoft\Windows\start menu\Programs\system security\System Security 2009 Support.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\Users\braiden\AppData\Roaming\microsoft\Windows\start menu\Programs\system security\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\Users\braiden\favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\Windows\System32\SKYNETnipbjinc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\SKYNETxprfpkmj.dll (Trojan.Agent) -> Quarantined and deleted successfully.

~

I also found the actual program thats causeing the problems but its protected by the "Creator".  Any Ideas on how to bypass and delete it?

Bugbatter

20.5K Posts

June 14th, 2009 13:00

You had quite a bit of malware in there. I suggest updating MBAM, running and new scan, and posting a fresh Hijackthis log and a fresh MBAM log on the Malware Removal Forum so the rest of it can be cleaned. Please include a link to this thread so your helper on that forum knows what has been removed so far.

z7301

3 Posts

June 14th, 2009 14:00

Thanks for the advice and so far the first scan has been a total success the second time I loged on everything was removed.

However to play it safe ill try what you guys said and im running scans right now to catch any possible signs of trouble.

ill load them if the problem reastablishs itself but other than that everything is fine. I Thank You :emotion-1: and any future supporters for your help!

Bugbatter

20.5K Posts

June 14th, 2009 17:00

Thank you for keeping us updated on your progress. Glad to hear that all is well. :emotion-1:

View More

View All

No Events found!

Top