xttt
3 Silver

Re: windows explorer fake security virus

hi GAHIXON1,

below is the combofix log.

but i can't seem to get dds to run completely.  i double click and it starts

to run.  but then it just stops.  so i don't know what's happening there.

but anyway, here is the combofix log.

i have uninstalled mcafee, spybot search and destroy and avg.  (had to uninstall avg or combofix would not run.)

thanks so much for your help!

 

 

 

ComboFix 11-06-26.01 - Eric 06/26/2011   9:35.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.486 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric\Templates\8f2gvu11wnj076224dw377dm
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
C:\Thumbs.db
c:\windows\Down_Temp
c:\windows\Down_Temp\list.jpg
c:\windows\system32\sxynvxad.ini
c:\windows\system32\tmpicons
c:\windows\system32\tmpicons\Click Here For Your Free Gift!.ico
c:\windows\system32\tmpicons\Free Screensavers, Wallpapers & eCards.ico
E:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-26 to 2011-06-26  )))))))))))))))))))))))))))))))
.
.
2011-06-25 21:59 . 2011-06-25 21:59 -------- d-----w- c:\documents and settings\Eric\T20110624ARp01
2011-06-23 01:46 . 2011-06-23 01:46 388096 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-22 01:12 . 2011-06-22 01:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 23:28 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 16:11 . 2008-09-14 01:12 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2008-09-14 01:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2006-03-31 20:46 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2005-08-16 10:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2005-08-16 10:18 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 01:34 . 2009-08-18 18:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-04-18 01:33 . 2009-08-18 18:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-01-24 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-05 274608]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\Eric\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-5-5 1731736]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\Eric\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-5-5 1731736]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-09-21 12:20 127036 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 10:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 16:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 18:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2003-12-10 11:52 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-23 05:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-05 23:50 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"ose"=3 (0x3)
"McciCMService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"MpfService"=2 (0x2)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"0286471304174628mcinstcleanup"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo
.
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [1/24/2011 11:35 AM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [4/30/2010 7:47 AM 14088]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/13/2008 6:12 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4076396399-1108333388-2233356946-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4076396399-1108333388-2233356946-501.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4076396399-1108333388-2233356946-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-05-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4076396399-1108333388-2233356946-501.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-26 09:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-26  09:43:10
ComboFix-quarantined-files.txt  2011-06-26 16:43
.
Pre-Run: 107,667,771,392 bytes free
Post-Run: 107,670,556,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4B417A4E24475F1BCB20CD2305C8F633

0 Kudos
gahixon1
3 Silver

Re: windows explorer fake security virus

Hi xttt,

Now that you have no anti-virus remaning on your computer I strongly suggest that you download and install one. My personal preference is now Microsoft Security Essentials. It integrates well with windows and has excellent detection rates. You can find it at the link below.

MSE

After installing MSE please continue with the next steps.

After running all these steps can you please tell me if there are any traces left of the scareware product that you had.

Step 1
CFScript

Please open Notepad and copy/paste the items in bold in between the two lines.
==================================================

KillAll::

Folder::
c:\documents and settings\Eric\T20110624ARp01

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"=-

===========================================================

Save this as CFScript.txt and change the 'Save as type' to 'All Files' and place it on your desktop. Make sure your AV is disabled while we do this.

CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Step 2
ESET Scan

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to Yes, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

 

Step 3
Security Check

 

  • Download Security Check by screen317 from HERE or HERE
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

In your next reply
Combofix.txt
ESET scan.txt
Security Check.txt

Graduate of Spyware Hammer Academy

0 Kudos
xttt
3 Silver

Re: windows explorer fake security virus

hi Gahixon1,

just wanted to let you know i'm still here.  

am working to get this info for you.  this eset scan looks like it's going to take quite awhile though.  

also, while combofix was running the message pev.cfxxe popped up.  pev.cfxxe has encountered a problem and needs to close.  we are sorry for the inconvenience.  then it gives you the option to report the error to microsoft or don't send.  i hit don't send.  combofix then continued and finished i asume.  computer re-booted.  combofix then gave a log. (which appears complete to me)  i have saved of course and as soon as i can get the eset scan log and security check log will post.

thanks so much for your help!

0 Kudos
xttt
3 Silver

Re: windows explorer fake security virus

hi Gahixon1,

here we go,

combofix log file:

ComboFix 11-06-27.01 - Eric 06/27/2011  16:37:46.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.541 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric\T20110624ARp01
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-27 to 2011-06-27  )))))))))))))))))))))))))))))))
.
.
2011-06-27 23:26 . 2011-06-27 23:26 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A055D11-D404-415A-85BD-F382C11E0F36}\MpKslff7edd3d.sys
2011-06-27 23:25 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A055D11-D404-415A-85BD-F382C11E0F36}\mpengine.dll
2011-06-27 23:25 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-06-27 23:21 . 2011-06-27 23:22 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-23 01:46 . 2011-06-23 01:46 388096 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-22 01:12 . 2011-06-22 01:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-16 23:28 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 16:11 . 2008-09-14 01:12 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2008-09-14 01:12 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2006-03-31 20:46 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2005-08-16 10:18 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2005-08-16 10:18 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-18 20:18 . 2011-04-18 20:18 165648 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2011-04-18 01:34 . 2009-08-18 18:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-04-18 01:33 . 2009-08-18 18:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-01-24 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-05 274608]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\Eric\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-5-5 1731736]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\Eric\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-5-5 1731736]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-09-21 12:20 127036 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 10:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 16:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 18:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2003-12-10 11:52 380928 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-03-23 05:20 339968 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-12-05 23:50 274608 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"ose"=3 (0x3)
"McciCMService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"DSBrokerService"=3 (0x3)
"MpfService"=2 (0x2)
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
"0286471304174628mcinstcleanup"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 MpKslff7edd3d;MpKslff7edd3d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A055D11-D404-415A-85BD-F382C11E0F36}\MpKslff7edd3d.sys [6/27/2011 4:26 PM 28752]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [1/24/2011 11:35 AM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [4/30/2010 7:47 AM 14088]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-06-27 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-06-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4076396399-1108333388-2233356946-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-06-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4076396399-1108333388-2233356946-501.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-06-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4076396399-1108333388-2233356946-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
2011-05-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4076396399-1108333388-2233356946-501.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-27 16:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
c:\program files\Memeo\AutoBackup\InstantBackup.exe
.
**************************************************************************
.
Completion time: 2011-06-27  16:58:40 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-27 23:58
ComboFix2.txt  2011-06-26 16:43
.
Pre-Run: 107,530,264,576 bytes free
Post-Run: 107,523,489,792 bytes free
.
- - End Of File - - 47468BEE5E95200D4D996D3B1901F784

--------------------------------------------------------------------------------------------
eset scan log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17098 (vista_gdr.110420-1745)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=f89cdc46c7a20347a43a2e58faf91255
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2011-06-28 02:11:51
# local_time=2011-06-27 07:11:51 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 120797652 120797652 0 0
# compatibility_mode=1032 16777214 0 1 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 5975252 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=318886
# found=2
# cleaned=2
# scan_time=7525
C:\Qoobox\Quarantine\C\WINDOWS\system32\sxynvxad.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 1AC3F0F2B8DC4058334647F4FC226FC5 C
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1476\A0119110.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 1AC3F0F2B8DC4058334647F4FC226FC5 C

--------------------------------------------------------------------------------------------------

 

and finally:

security check log:

 Results of screen317's Security Check version 0.99.16 
 Windows XP Service Pack 3 
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 ESET Online Scanner v3  
 Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner    
 Java(TM) 6 Update 20 
 Out of date Java installed!
 Adobe Flash Player  
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Microsoft Security Client Antimalware MsMpEng.exe 
``````````End of Log````````````

------------------------------------------------------------------------------------------

okay please let me know if i need to do anything else.

and thank you soooo much for your help!

mse is installed.

 

0 Kudos
gahixon1
3 Silver

Re: windows explorer fake security virus

Hi xttt,

Glad to hear things are running much better. We are not quite finished yet. Next we need to update some software that leave vulnerabilities within your computer. Then we will remove the tools that have been used and finally I will give you some useful information to stop you being reinfected in the future.

OK. Onto the update process.

Step 1
Updating IE

Please visit the following link and update your Internet Explorer
IE8

Step 2
JavaRa

Please download JavaRa from here
Unzip the zip file using 7-Zip
Please click "Check for Updates" and then "Remove older versions" as shown below
JavaRa.png

Step 3
Updating Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    Instructions for Windows XP (x86) and earlier
  • Close all browser windows then double-click on the saved file (jre-6u23-windows-i586.exe) to install the update. Be patient: It may take five (5) minutes or more for the installation to complete.
  • UNCHECK any optional "foistware" (e.g., Carbonite; OpenOffice; Google, Bing, etc. toolbars) that you don't want to install!
  • Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

 

Windows 64-bit users: See http://www.java.com/en/download/faq/java_win64bit.xml
For more information see http://java.com/en/download/faq/index_general.xml

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:

  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

 

Step 4
Security Check

 

  • Download Security Check by screen317 from HERE or HERE
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 


Please post back any issues or problems you had.
After installing all these updates, we will finish up with a post about preventing malware in the future.

Graduate of Spyware Hammer Academy

0 Kudos
xttt
3 Silver

Re: windows explorer fake security virus

 

i tried to install the latest version of java.

ran into this error and the installation stopped.

 

Java Setup:

Internal Error 2753. regutils.dll

please advise how to proceed.

thanks!

0 Kudos
xttt
3 Silver

Re: windows explorer fake security virus

 

the most recent security check log follows:

Results of screen317's Security Check version 0.99.16 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 ESET Online Scanner v3  
 Microsoft Security Essentials   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 CCleaner    
 Java(TM) 6 Update 20 
 Out of date Java installed!
 Adobe Flash Player  
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Microsoft Security Client Antimalware MsMpEng.exe 
``````````End of Log````````````

please note however that i do not

think java is currently operating

on my system.  it says it is installed

but i do not think it is working.  i have received

the message no working java was detected

on my system.  (from the java website)  

help please. 

0 Kudos
gahixon1
3 Silver

Re: windows explorer fake security virus

Hi xttt,

Could you please go into Add/Remove programs and uninstall

Java(TM) 6 Update 20

As well as any other instances of Java. After this, please go to HERE and download the latest version of Java.

This should allow Java to install successfully.

Let me know if that works.

George

Graduate of Spyware Hammer Academy

0 Kudos
xttt
3 Silver

Re: windows explorer fake security virus

      

hi GAHIXON1,

the above is a screen shot (word document) of the error message i received when

trying to remove from the control panel.  same error occurs.

i think it could be a registry key problem.  but you would

think java would have a fix.  i get the feeling this is not

an unusual error.  however i certainly have no way of

fixing it.  especially if it involves the registry.  i've heard one

has to be extremely careful/knowledgeable when working in the registry.

sooooo,  maybe i'll just have to get by without java? 

anyway, any suggestions appreciated.  i have no doubt

the computer is cleaner now. 

i'm certainly open to any further suggestions as to

how to uninstall/reinstall java.  so if you can come up

with something to try i'm certainly willing.  (provided

of course you're certain there is no danger in doing so.)  

would you like me to run and post another hijack this or mbam log?

thank you GAHIXON1!  

(well, i thought i inserted the screen shot but i don't see

it.  anyway, same error: Internal Error 2753.regutils.dll)

 

0 Kudos
gahixon1
3 Silver

Re: windows explorer fake security virus

Hi xttt,

Did you run JavaRa in my previous instructions? This will remove all previous versions of Java and produce a log. If you did please try this to uninstall Java instead.

George

Graduate of Spyware Hammer Academy

0 Kudos