Antivirus Live - Fake Security Software has taken over my pc

View previous topic View next topic Go down

Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 12:54 am

Yesterday my pc was infected by the above named monster Sad tearing Luckily I do have a laptop so I have been able to do a bit of research on how to remove this nasty. It seems that it is a new version of Antivirus System Pro but sadly those instructions for removal do not work (the screenshot is almost identical except for the name). Here is a summary of the symptoms and what I have done so far. I think my pc was infected by some kind of pdf download. I was researching "this day in history" sites and a popup download window appeared asking if I wanted to download a pdf. Since I did not click on a link for this to happen I just closed the window without really paying much attention to it (I now think this was a HUGE mistake!!!!) Another popup window appeared and disappeared just as quickly so not really sure what that said, however moments laters all hell broke loose on my pc Evil or enraged So many popup alerts appeared and no program will run! Everytime I try to run any program or do anything at all such as open control panel or task manager a popup message appears saying that the xxxxx file is infected and do I want to run the antivirus program and no other program will run. After some research I tried to reboot my pc in safe mode but this was unsuccessful as well. I press F8 and get to the correct screen but when choosing either safe mode or safe mode with networking, the pc thinks for a moment and then the screen goes blank and then the same screen reappears. I have not tried choosing the boot to command prompt as I would have no idea what to actually do if that worked! The only way to successfully boot the pc is to choose the normal startup option. My pc is an IBM desktop and I did manage to get into setup and from there an IBM recover and restore feature but not too sure what all that is so didn't do anything there. It does have an option to get into the BIOS and I thought maybe changing the boot sequence might work but I'm such a beginner that I thought best not to change anything there either! I did manage to run Malwarebytes on one of the normal reboot occasions by getting that to start before the virus program actually started. I couldn't update the program though and even though it did a scan and found one item that it removed the dreaded monster is still there. Internet Explorer also launches occasionally and takes me to "unsavoury websites" so I have disconnected the internet from that pc for the moment. I even tried adding some programs to a flash drive but that wouldn't run on the pc either. No program at all seems to work unless you can get it to start before the virus does after a reboot. The virus wants to connect to a website called awareremover 2010.com. I have also read that google searches can result in you being taken to more malware sites so not very confident which links are indeed safe. Can anyone suggest how I can go about removing this monster and returning my pc to normal? (Gunsmoke) Oh BTW I do have uptodate anti virus software installed on my pc. It is CA which used to be called VET although this doesn't seem to have helped me much but to be fair this is the first time my pc has been infected so I guess it has done it's job well in the past.

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 6th December 2009, 1:43 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 10:25 am

Thanks for the info but I obviously didn't post very clearly as this virus does not allow any program to run! I did try what you suggested but as soon as you click any program to run a popup message appears telling you the file is infected and then nothing happens! I have done a bit more research and another person seems to have had a similar problem and they disabled items at startup using msconfig. So I tried rebooting and choosing "run" before the virus kicked in and managed to get to msconfig. Since I am a novice in this area I uncheck nearly all of the boxes and then did a restart. Luckily the virus program must have been one of them as I was able to install hijack this Smile I then ran it and the log is attached although I think if the virus did not run at startup this might not tell much? I will print it here just in case it is useful. I have also managed to update Malwarebytes and will run a scan now. Thanks for your efforts to help me so far!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:31 PM, on 6/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\WINDOWS\system32\traymgr.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [MicrosoftCorp] C:\WINDOWS\system32\traymgr.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: eBay Search - [You must be registered and logged in to see this link.] Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - [You must be registered and logged in to see this link.]
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - [You must be registered and logged in to see this link.]
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 8256 bytes

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 11:10 am

Extra bit of info....I have just checked my google history for yesterday and the site that I think downloaded the problem is link removed I remember that the name of the pdf document that I ignored was only very short and one minute after this site I closed everything down. Don't know if this is helpful or not. I will post malwarebytes log as soon as it is finished and await further instructions. Thanks again!

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 6th December 2009, 12:08 pm

Hello.
Thanks for the info, but don't post links in the forum since this is a public forum, anyone can follow that link and they get infected too.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Policies\Explorer\Run: [MicrosoftCorp] C:\WINDOWS\system32\traymgr.exe



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 12:49 pm

Hi there! Oh gosh I am so sorry about the link, I never even thought that someone else might get infected, my apologies! Before I saw your reply I had already run Malwarebytes and the Hijack this scan does not have exactly the same line as you mentioned so at this stage I have not removed it. Here is the second hijack this scan that was done after the Malwarebytes scan. I will post both logs now and wait for your instructions. Thanks again and I am sorry about the link!
Here is the 2nd hijack this scan log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:04 PM, on 6/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\traymgr.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpamMATTERS Outlook Express Client\expressAI.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [srkrjray] C:\Documents and Settings\Gayle Cox\Local Settings\Application Data\hjvtws\rbljsysguard.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [MicrosoftNAPC] C:\WINDOWS\system32\traymgr.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpamMATTERS Outlook Express Interface] C:\Program Files\SpamMATTERS Outlook Express Client\expressAI.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: eBay Search - [You must be registered and logged in to see this link.] Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - [You must be registered and logged in to see this link.]
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - [You must be registered and logged in to see this link.]
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 11477 bytes

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 12:51 pm

Here is the Malwarebytes scan

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/12/2009 11:16:19 PM
mbam-log-2009-12-06 (23-16-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 277345
Time elapsed: 1 hour(s), 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoftcorp (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Gayle Cox\Local Settings\Temp\JBKJ.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gayle Cox\Local Settings\Application Data\hjvtws\rbljsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gayle Cox\Local Settings\Temporary Internet Files\Content.IE5\OY2NX3VK\op[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gayle Cox\My Documents\My Downloads\Programs\Utility Programs\ColorPix.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 12:55 pm

Also I now have Firefox opening on it's own with 2 tabs. One tab shows the C: Program Files Mozilla Firefox local directory and the other tab has some really weird [You must be registered and logged in to see this link.] address. I have taken a screen print and will post it if you say that is ok?

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 6th December 2009, 8:27 pm

Most recent Malwarebytes scan log

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/12/2009 7:21:42 AM
mbam-log-2009-12-07 (07-21-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 277568
Time elapsed: 1 hour(s), 28 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoftnapc (Backdoor.Bot)

-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srkrjray (Trojan.FakeAlert.N)

-> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 7th December 2009, 12:57 am

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 7th December 2009, 7:48 am

Hi there,
Ok I have downloaded and have run DDS.scr and here is the first log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Gayle Cox at 18:36:08.65 on Mon 07/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.1013.438 [GMT 11:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpamMATTERS Outlook Express Client\expressAI.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gayle Cox\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpamMATTERS Outlook Express Interface] c:\program files\spammatters outlook express client\expressAI.exe
uRun: [PowerBar] "c:\program files\cyberlink dvd solution\multimedia launcher\PowerBar.exe" /AtBootTime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
mRun: [CAVRID] "c:\program files\ca\etrust vet antivirus\CAVRID.exe"
mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [CloneDVDElbyDelay] "c:\program files\elaborate bytes\clonedvd\ElbyCheck.exe" /L ElbyDelay
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - [You must be registered and logged in to see this link.]
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - [You must be registered and logged in to see this link.]
DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - [You must be registered and logged in to see this link.]
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} - [You must be registered and logged in to see this link.]
DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} - [You must be registered and logged in to see this link.]
DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gaylec~1\applic~1\mozilla\firefox\profiles\2huatv31.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Australia
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\gayle cox\application data\mozilla\firefox\profiles\2huatv31.default\extensions\{6ac85730-7d0f-4de0-b3fa-

21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\gayle cox\application data\mozilla\firefox\profiles\2huatv31.default\extensions\{a7c6cf7f-112c-4500-a7ea-

39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\gayle cox\application

data\mozilla\firefox\profiles\2huatv31.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\gayle cox\application

data\mozilla\firefox\profiles\2huatv31.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\gayle cox\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\millisecond software\inquisit 2.0 mozilla plugin\npInquisit.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npInquisit.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMAHJONG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\windows\system32\dnaml\npdbplug.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-1-5 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-11-18 72696]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-2-21 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-2-21 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-2-21 739696]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-2-21 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-2-21 161008]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 CAISafe;CAISafe;c:\program files\ca\etrust vet antivirus\isafe.exe [2007-2-17 144696]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-2-21 128240]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-12-12 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-12-10 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-12-19 297464]
R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust vet antivirus\vetmsg.exe [2007-2-17 292080]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-12-12 205304]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-2-21 133520]
S3 TPM12;NSC Integrated Trusted Platform Module 1.2;c:\windows\system32\drivers\nsctpm12.sys [1980-1-1 13056]

=============== Created Last 30 ================

2009-12-06 10:02:17 0 d-----w- c:\program files\Trend Micro
2009-11-20 09:21:02 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-11-20 09:21:01 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-11-20 09:21:00 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-11-20 09:17:31 0 d--h--w- c:\windows\msdownld.tmp
2009-11-20 09:17:23 0 d-----w- c:\windows\Logs
2009-11-20 09:12:48 0 d-----w- c:\docume~1\gaylec~1\applic~1\Command & Conquer 3 Tiberium Wars
2009-11-20 09:12:19 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2009-11-20 08:57:38 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

==================== Find3M ====================

2009-12-03 05:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 05:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-28 00:33:54 111856 ----a-w- c:\windows\system32\isafprod.dll
2009-10-29 22:15:56 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-10-29 22:15:56 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-10-29 22:15:56 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-10-29 22:15:56 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-10-29 22:15:56 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-10-29 22:15:56 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-01 00:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-13 06:52:53 149305 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ------w- c:\windows\system32\dllcache\msv1_0.dll
2005-03-31 11:17:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2002-09-27 01:32:50 272896 ----a-w- c:\program files\stripmail.exe
2009-07-18 05:04:58 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-13 02:14:44 180265 --sh--r- c:\windows\system32\traymgr.exe

============= FINISH: 18:38:03.51 ===============

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 7th December 2009, 7:50 am

Here is the second log info

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 13/12/2005 9:31:08 PM
System Uptime: 12/07/2009 6:32:20 PM (3552 hours ago)

Motherboard: IBM | | IBM
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | LGA775/PSC/TJS | 2992/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | LGA775/PSC/TJS | 2992/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 20.627 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1484: 9/09/2009 1:41:13 AM - System Checkpoint
RP1485: 10/09/2009 3:05:12 AM - System Checkpoint
RP1486: 10/09/2009 8:47:15 AM - Software Distribution Service 3.0
RP1487: 11/09/2009 1:42:38 AM - Software Distribution Service 3.0
RP1488: 12/09/2009 2:35:07 AM - System Checkpoint
RP1489: 13/09/2009 3:47:09 AM - System Checkpoint
RP1490: 14/09/2009 3:59:09 AM - System Checkpoint
RP1491: 15/09/2009 2:01:31 AM - Software Distribution Service 3.0
RP1492: 16/09/2009 2:12:57 AM - System Checkpoint
RP1493: 17/09/2009 2:36:58 AM - System Checkpoint
RP1494: 18/09/2009 2:17:39 AM - Software Distribution Service 3.0
RP1495: 19/09/2009 2:26:36 AM - System Checkpoint
RP1496: 20/09/2009 9:31:23 AM - System Checkpoint
RP1497: 21/09/2009 9:38:36 AM - System Checkpoint
RP1498: 22/09/2009 1:50:43 AM - Software Distribution Service 3.0
RP1499: 23/09/2009 3:42:53 AM - System Checkpoint
RP1500: 24/09/2009 4:18:22 AM - System Checkpoint
RP1501: 25/09/2009 1:36:37 AM - Software Distribution Service 3.0
RP1502: 26/09/2009 2:56:09 AM - System Checkpoint
RP1503: 27/09/2009 3:56:08 AM - System Checkpoint
RP1504: 27/09/2009 1:38:58 PM - Installed Adobe Photoshop Lightroom 2.5.
RP1505: 29/09/2009 11:07:12 PM - Software Distribution Service 3.0
RP1506: 1/10/2009 12:07:05 AM - System Checkpoint
RP1507: 3/10/2009 9:45:01 AM - Software Distribution Service 3.0
RP1508: 4/10/2009 8:24:00 AM - Removed Windows Defender
RP1509: 5/10/2009 9:40:44 AM - System Checkpoint
RP1510: 6/10/2009 4:04:42 PM - System Checkpoint
RP1511: 7/10/2009 4:06:55 PM - System Checkpoint
RP1512: 8/10/2009 10:26:14 PM - System Checkpoint
RP1513: 9/10/2009 10:38:52 PM - System Checkpoint
RP1514: 10/10/2009 11:11:47 PM - System Checkpoint
RP1515: 12/10/2009 12:31:18 AM - System Checkpoint
RP1516: 13/10/2009 1:19:18 AM - System Checkpoint
RP1517: 13/10/2009 8:28:51 AM - Software Distribution Service 3.0
RP1518: 14/10/2009 8:44:07 AM - System Checkpoint
RP1519: 16/10/2009 11:39:43 AM - System Checkpoint
RP1520: 17/10/2009 11:42:16 AM - System Checkpoint
RP1521: 18/10/2009 12:18:15 PM - System Checkpoint
RP1522: 18/10/2009 11:05:00 PM - Software Distribution Service 3.0
RP1523: 19/10/2009 11:14:19 PM - System Checkpoint
RP1524: 20/10/2009 11:26:19 PM - System Checkpoint
RP1525: 21/10/2009 11:26:29 PM - System Checkpoint
RP1526: 23/10/2009 8:13:10 PM - System Checkpoint
RP1527: 24/10/2009 7:27:14 AM - Installed Java(TM) 6 Update 16
RP1528: 25/10/2009 7:49:33 AM - System Checkpoint
RP1529: 26/10/2009 8:16:47 AM - System Checkpoint
RP1530: 27/10/2009 8:37:32 AM - System Checkpoint
RP1531: 28/10/2009 9:13:42 AM - System Checkpoint
RP1532: 29/10/2009 10:28:34 AM - System Checkpoint
RP1533: 30/10/2009 10:29:23 AM - System Checkpoint
RP1534: 31/10/2009 11:32:45 AM - System Checkpoint
RP1535: 1/11/2009 12:24:16 PM - System Checkpoint
RP1536: 2/11/2009 7:30:11 PM - System Checkpoint
RP1537: 3/11/2009 8:19:48 PM - System Checkpoint
RP1538: 4/11/2009 12:13:53 AM - Software Distribution Service 3.0
RP1539: 5/11/2009 12:35:45 AM - System Checkpoint
RP1540: 6/11/2009 1:35:45 AM - System Checkpoint
RP1541: 7/11/2009 2:47:45 AM - System Checkpoint
RP1542: 8/11/2009 10:26:38 AM - System Checkpoint
RP1543: 9/11/2009 7:15:57 PM - System Checkpoint
RP1544: 10/11/2009 7:52:48 PM - System Checkpoint
RP1545: 11/11/2009 9:24:52 PM - System Checkpoint
RP1546: 12/11/2009 8:15:19 AM - Software Distribution Service 3.0
RP1547: 13/11/2009 8:51:42 AM - System Checkpoint
RP1548: 14/11/2009 10:04:39 AM - System Checkpoint
RP1549: 15/11/2009 11:38:20 AM - System Checkpoint
RP1550: 16/11/2009 1:48:28 PM - System Checkpoint
RP1551: 17/11/2009 2:23:28 PM - System Checkpoint
RP1552: 18/11/2009 2:43:43 PM - System Checkpoint
RP1553: 20/11/2009 3:35:04 PM - System Checkpoint
RP1554: 20/11/2009 7:42:39 PM - Installed Command & Conquer 3.
RP1555: 20/11/2009 8:20:08 PM - Installed DirectX
RP1556: 21/11/2009 1:20:54 PM - Removed Command & Conquer 3.
RP1557: 22/11/2009 6:56:00 PM - System Checkpoint
RP1558: 23/11/2009 7:29:16 PM - System Checkpoint
RP1559: 25/11/2009 3:47:25 PM - System Checkpoint
RP1560: 26/11/2009 7:24:07 AM - Software Distribution Service 3.0
RP1561: 28/11/2009 12:01:33 PM - System Checkpoint
RP1562: 29/11/2009 12:13:38 PM - System Checkpoint
RP1563: 30/11/2009 12:16:05 PM - System Checkpoint
RP1564: 1/12/2009 12:19:02 PM - System Checkpoint
RP1565: 2/12/2009 1:07:02 PM - System Checkpoint
RP1566: 3/12/2009 7:17:38 PM - System Checkpoint
RP1567: 4/12/2009 7:26:58 PM - System Checkpoint
RP1568: 7/12/2009 2:22:40 AM - System Checkpoint

==== Installed Programs ======================

Access IBM
Access IBM Message Center
Ad-Aware
Adobe Acrobat 6.0.1 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Lightroom 2.5
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Ahead Nero Burning ROM
Alt-Tab Task Switcher Powertoy for Windows XP
AM-DeadLink 3.3
Brother P-touch Address Book 1.0
Brother P-touch Editor 4.2
Brother P-touch Software
Brother QL-Series User's Guide
CA Anti-Virus
CA Internet Security Suite
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon MP Navigator 2.0
Canon MP800
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities File Viewer Utility 1.3
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CD-LabelPrint
ClearType Tuning Control Panel Applet
Clever Island Demo
CloneDVD
Corel Paint Shop Pro X
Critical Update for Windows Media Player 11 (KB959772)
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Solution
Easy-WebPrint
Easy Thumbnails (Remove only)
Express Burn
Express Rip
File Viewer Utility 1.3.2
Foxit Reader
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM Rescue and Recovery with Rapid Restore
IBM Themes
IBM ThinkVantage Technologies Welcome Message
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 16
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
JustStyle CSS Editor 1.3.3
Logitech Harmony Remote Software 7
Macromedia Dreamweaver 4
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Pro 7.0
Microsoft Greetings
Microsoft IntelliPoint 6.11
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mouse Suite
Mozilla Firefox (3.5.3)
Mozilla Thunderbird (2.0.0.23)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia Launcher
MYOB Accounting Plus v12
MYOB Premier v7 TE
NCH Toolbox
OmniPage SE 2.0
OZtion Express Lister 2.02
PageBreeze Free HTML Editor
Paint Shop Pro 7 Anniversary Edition
PC-Doctor for Windows
Philips Flat Panel Adjust
PhotoFiltre
PhotoStitch
PowerDVD
PowerProducer
QuickTime
RAW Image Task
Remote Control USB Driver
RemoteCapture 2.7.5
RemoteCapture Task
Sansa Media Converter
Sansa Updater
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Simply Budgets Personal
Simply Budgets Personal - Version 1.4 Upgrade
Software Installer
SoundMAX
SpamMATTERS Outlook Express Client
Spybot - Search & Destroy 1.4
Stamina 2.5
Switch
System Migration Assistant 5.0
System Workshop 2.3
Trillian
Turbo Lister 2
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player (Remove Only)
Wallpapers
WavePad Uninstall
WebFldrs XP
Webshots Desktop
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB885894
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinMerge 2.12.4
Yahoo! BrowserPlus

==== Event Viewer Messages From Past Week ========

5/12/2009 1:32:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ProtexisLicensing service to connect.
5/12/2009 1:32:49 PM, error: Service Control Manager [7000] - The ProtexisLicensing service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/12/2009 1:32:45 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/12/2009 1:32:45 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/12/2009 4:33:29 PM, error: System Error [1003] - Error code 000000ea, parameter1 8681ada8, parameter2 86ab6660, parameter3 86929a50, parameter4 00000001.
3/12/2009 3:56:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001125EB4C38 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
Thanks so much for all your help Thank You!

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 7th December 2009, 8:41 pm

Hello.


Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) 6 Update 16
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Viewpoint Media Player (Remove Only)

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.


How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 9th December 2009, 9:26 am

Hi Belahzur,
My machine seems to be running perfectly now Thank You! I really want to express my gratitude for your patience and help. Without your help I am sure my machine would not have recovered at all! It is very generous to freely give your time to help someone you don't even know. Thank you so much again, it really is very much appreciated Big Grin Big Grin

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 9th December 2009, 2:16 pm

Hello.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 2nd January 2010, 1:01 am

Hi Belahzur!
Happy New Year to you! I have now completed all of the steps above that you recommended. I have not used internet banking etc since the problem started. Can you tell me if it is now safe to do that as I am a little bit worried?
Thank you so much again for your help Smile
Kind regards
Gayle

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by Belahzur on 2nd January 2010, 1:03 am

Yeah, should be. No malware was hiding from what I can see in DDS, and MBAM didn't detect a lot of items neither.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Antivirus Live - Fake Security Software has taken over my pc

Post by justmeok on 2nd January 2010, 5:02 am

Many thanks Big Grin

justmeok
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-12-06
Gender Gender : Female
OS OS : XP Pro SP2
Points Points : 25758
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum