Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Total XP Security" False Detections


  • This topic is locked This topic is locked
2 replies to this topic

#1 Malakov

Malakov

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 March 2010 - 10:04 AM

A rogue program named "Total XP Security" has plopped itself on my system, and I cannot remove it. Any help would be appreciated.

I will be gone for the weekend, returning Sunday evening, please don't view my failure to respond as having already found a solution or giving up. I will be back.

PS: "Browse" function for attachments is not working. How else can I safely upload my Attach.txt and Ark.txt for you?


DDS (Ver_10-03-17.01) - NTFSx86
Run by Damien at 9:58:21.70 on 26/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2047.1351 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Documents and Settings\Damien\Local Settings\Application Data\ave.exe
D:\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Damien\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "d:\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {D1B75989-DC49-4CA1-8502-86B23AB8F1CA} = 67.69.234.1 207.164.234.193
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.virustotal.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\damien\applic~1\mozilla\firefox\profiles\vsy19gmm.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;d:\avira\antivir desktop\avgio.sys [2010-2-13 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\avira\antivir desktop\sched.exe [2010-2-13 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\avira\antivir desktop\avguard.exe [2010-2-13 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-13 56816]
S0 dyhbaw;dyhbaw; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-12 1684736]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-03-19 11:42:32 0 dc-h--w- c:\windows\ie8
2010-03-10 22:05:13 0 d-----w- c:\program files\Microsoft
2010-03-10 01:27:15 0 d-----w- c:\docume~1\damien\applic~1\Xfire
2010-03-05 00:15:32 41872 ----a-w- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2010-02-16 04:19:53 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-12 13:32:51 54016 ----a-w- c:\windows\system32\drivers\xjlegjd.sys
2010-02-11 13:09:24 6945 --sha-w- c:\windows\E88D4.exe
2010-01-19 00:53:54 67863 ----a-w- c:\windows\system32\x264vfw-uninstall.exe
2010-01-12 22:36:58 9715200 ----a-w- c:\windows\RTLCPL.EXE
2010-01-12 22:36:58 77824 ----a-w- c:\windows\SOUNDMAN.EXE
2010-01-12 22:36:58 290816 ----a-w- c:\windows\vncutil.exe
2010-01-12 22:36:58 1826816 ----a-w- c:\windows\SkyTel.exe
2010-01-12 22:36:58 1482752 ----a-w- c:\windows\RtlUpd.exe
2010-01-12 22:36:57 41472 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-01-12 22:36:57 2168320 ----a-w- c:\windows\MicCal.exe
2010-01-12 22:36:57 18671104 ----a-w- c:\windows\RTHDCPL.EXE
2010-01-12 22:36:57 122880 ----a-w- c:\windows\RtkAudioService.exe
2010-01-12 22:36:55 57344 ----a-w- c:\windows\ALCMTR.EXE
2010-01-12 22:36:55 2808832 ----a-w- c:\windows\ALCWZRD.EXE
2010-01-12 22:36:49 831488 ----a-w- c:\windows\RtlExUpd.dll
2010-01-12 21:41:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 9:59:20.09 ===============


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 AM

Posted 29 March 2010 - 07:47 AM

Hi Malakov,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Tell me about the current condition of your computer.
If you have changed anything please post a fresh DDS log reflecting the current condition of your computer.
You may copy and paste the other logs into the reply instead of attaching them.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:37 AM

Posted 03 April 2010 - 03:26 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users