Counterfeit Windows Security

View previous topic View next topic Go down

Counterfeit Windows Security

Post by vonmorg on Tue Feb 12, 2013 11:37 pm

I am getting notices popping up that I "may be the victim of Counterfeiting." That my "copy of Windows did not pass genuine Windows validation." It then wants me to go to a link to purchase Windows 7. It is threatening to shut down my system in 6 days, (it started at 30 days). A tech said I had been hit. Can this be fixed or will my system shut down?

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by Superdave on Wed Feb 13, 2013 7:18 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Please download [You must be registered and logged in to see this link.]by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************
Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.]
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Wed Feb 13, 2013 11:09 pm

# AdwCleaner v2.112 - Logfile created 02/13/2013 at 18:01:05
# Updated 10/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : mom - THEPANTRY
# Boot Mode : Normal
# Running from : C:\Documents and Settings\mom\Local Settings\Temporary Internet Files\Content.IE5\1ZFCXSD5\adwcleaner0[1].exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\.autoreg
Folder Found : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found : C:\Documents and Settings\mom\Application Data\Viewpoint

***** [Registry] *****

Key Found : HKCU\Software\ICQToolbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{855F3B16-6D32-4FE6-8A56-BBB695989046}
Key Found : HKCU\Software\Viewpoint
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4FE6-8A56-BBB695989046}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\Software\Viewpoint
Key Found : HKU\S-1-5-21-1708537768-963894560-839522115-1004\Software\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{855F3B16-6D32-4FE6-8A56-BBB695989046}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{855F3B16-6D32-4FE6-8A56-BBB695989046}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{855F3B16-6D32-4FE6-8A56-BBB695989046}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.13 (en-US)

File : C:\Documents and Settings\mom\Application Data\Mozilla\Firefox\Profiles\xqhc1we7.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2497 octets] - [13/02/2013 18:01:05]

########## EOF - C:\AdwCleaner[R1].txt - [2557 octets] ##########

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Wed Feb 13, 2013 11:32 pm

Dave,
I am a PC novice, I can't find where to disable my Avast anti virus & don't know how to find my firewall to run the Malware.


Last edited by vonmorg on Wed Feb 13, 2013 11:34 pm; edited 1 time in total (Reason for editing : to be more clear)

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by Superdave on Wed Feb 13, 2013 11:46 pm

Remove the Adware:

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

**************************************************
I am a PC novice, I can't find where to disable my Avast anti virus & don't know how to find my firewall to run the Malware.
You don't need to disable anything to run MBAM.

Download Security Check by screen317 from one of the following links and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Sat Feb 16, 2013 5:12 am

[You must be registered and logged in to see this link.]

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Sat Feb 16, 2013 5:14 am

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.02.15.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
mom :: THEPANTRY [administrator]

Protection: Enabled

2/15/2013 7:14:11 PM
MBAM-log-2013-02-15 (23-47-53).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 440500
Time elapsed: 4 hour(s), 24 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> No action taken.
HKCR\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> No action taken.
HKCR\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> No action taken.
HKCR\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> No action taken.
HKCR\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> No action taken.

(end)

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Sat Feb 16, 2013 5:30 am

Results of screen317's Security Check version 0.99.57
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
avast! Antivirus
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java(TM) 6 Update 17
Java 2 Runtime Environment, SE v1.4.2_06
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.1.102.64 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (3.6.13) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by Superdave on Sat Feb 16, 2013 7:37 pm

Please run MBAM again and this time, remove the selected infections and post the log.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First [You must be registered and logged in to see this link.]

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the [You must be registered and logged in to see this link.].

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download [You must be registered and logged in to see this link.] and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: [You must be registered and logged in to see this link.] adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
****************************************************
Update your Adobe Reader. [You must be registered and logged in to see this link.].

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.

*****************************************************
The Security log shows that you have two AV programs on your computer; Microsoft Security Essentials and avast! Antivirus
. One will have to be disabled/ uninstall as they can cause conflicts.
Did you run adwCleaner again to clean the crap out?


Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Mon Feb 18, 2013 9:00 am

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.02.17.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
mom :: THEPANTRY [administrator]

Protection: Disabled

2/17/2013 8:28:37 PM
mbam-log-2013-02-17 (20-28-37).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 434496
Time elapsed: 1 hour(s), 27 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by vonmorg on Mon Feb 18, 2013 9:01 am

ComboFix 13-02-15.01 - mom 02/18/2013 0:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.136 [GMT -5:00]
Running from: c:\documents and settings\mom\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mom\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\mom\Recent\Thumbs.db
c:\documents and settings\mom\WINDOWS
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\inf
c:\windows\system32\inf\H1e10220.inf
c:\windows\system32\ps2.bat
c:\windows\system32\spool\prtprocs\w32x86\LXAIPP5C.DLL
.
.
((((((((((((((((((((((((( Files Created from 2013-01-18 to 2013-02-18 )))))))))))))))))))))))))))))))
.
.
2013-02-16 00:00 . 2013-02-16 00:00 -------- d-----w- c:\documents and settings\mom\Application Data\Malwarebytes
2013-02-16 00:00 . 2013-02-16 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-02-15 23:59 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-15 23:59 . 2013-02-16 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2009-12-26 21:37 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-26 03:55 . 2001-08-23 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:16 . 2001-08-23 12:00 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36 . 2001-08-17 13:48 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2001-08-23 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-12-22 19:51 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2003-05-13 15:28 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-12-22 19:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-12-26 20:16 . 2004-12-22 19:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-24 06:40 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23 . 2001-08-23 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2005-12-09 15:54 . 2005-12-09 15:54 10091750 ----a-w- c:\program files\PAF5EnglishSetup.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\VISION~1\PAPERP~1\PPWebCap.exe" [1999-04-13 43008]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-08-20 20:55 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
2002-05-06 12:40 900096 ----a-w- c:\windows\system32\LXSUPMON.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-08-01 22:47 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2005-10-25 00:37 14892072 ----a-w- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2001-10-31 16:59 73728 ----a-w- c:\program files\NavNT\vptray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
2004-09-09 22:35 1597440 ----a-w- c:\progra~1\AWS\WEATHE~1\Weather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"GoogleDesktopManager-110309-193829"=3 (0x3)
"DefWatch"=2 (0x2)
"Norton AntiVirus Server"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/24/2012 4:56 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/24/2012 4:56 PM 361032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/24/2012 4:56 PM 21256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/15/2013 6:59 PM 21104]
S2 CoachCap;Concord Eye-Q Duo 2000 USB Video Capture V1.01;c:\windows\system32\drivers\coachcap.sys [1/20/2005 4:08 PM 93068]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2/15/2013 7:00 PM 398184]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/15/2013 7:00 PM 682344]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [1/20/2005 4:27 PM 15104]
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-17 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-24 22:50]
.
2013-02-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
TCP: DhcpNameServer = 207.255.0.43 207.255.0.45
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\xqhc1we7.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: [You must be registered and logged in to see this link.] - c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-MGI_PRISM_V1_0 - c:\program files\MGI\MGI PhotoSuite II\System\MGIUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2013-02-18 01:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\windows\System32\NavLogon.dll
.
Completion time: 2013-02-18 01:14:52
ComboFix-quarantined-files.txt 2013-02-18 06:14
.
Pre-Run: 27,771,293,696 bytes free
Post-Run: 28,668,301,312 bytes free
.
- - End Of File - - 85EB52FC8094C679733103D6AA18913A

vonmorg
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2013-02-12
OS : Windows XP Pro

View user profile

Back to top Go down

Re: Counterfeit Windows Security

Post by Superdave on Mon Feb 18, 2013 8:06 pm

The log shows that you have two AV's on your computer; avast! Antivirus and Microsoft Security Essentials . One will have to be disabled/uninstalled because running two or more AV's can cause conflicts.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

******************************************************

  • Download [You must be registered and logged in to see this link.] on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again


Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum