Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Internet Security Pro and other


  • This topic is locked This topic is locked
42 replies to this topic

#1 rsqme

rsqme

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 04 August 2013 - 06:09 PM

My system has been slammed w/ malware, so bear with me while I do my best to explain my situation as clearly and briefly as possible (apologies ahead of time if I tend to stray from doing either/both).  Also, I realize that the "error message" related factors (addressed a little further in the post), may be an entirely seperate issue, requiring a seperate course of actions/resolution.  Not sure, so I will leave out their dialog details (unless you specifiy otherwise), but still touch on the matter somewhat and any relevancy to my current infection, so there are no surprises there that may make a difference in how all of this is tackled.

INFECTED HOW

I was doing a search (ironically on trying to fix another snag and other pc insecurities) using DuckDuckGo, w/ their WOT feature enabled, while making sure to only enter domains w/ a grn-colored rating.  I don't even feel comfortable attemptg the light grn-rated site links, and this incident was no expection.  It had a green dot, so I clicked, and the next thing I knew, I was zapped back to my desktop w/ a manical fake AV, splashing crap all over my screen.  (I know, relying solely on a grn dot...not very wise, at least not w/ more unfamilar sites, as was the case w/ this one...lesson learned)   

INFECTED w/ WHAT

So this fictitious AV dubs itself the "Internet Security Pro" and is rigged with:

  • Scanner (claiming the file "C:\Acrobat3\Reader\ACROFx32.DLL" is infected with "Infected:W64/Child-Porn.PROXY/SERVER")
  • Firewall Warning (w/ its own dubious details)
  • another Alert box (w/ more warnings and activate/install type options)
  • Short-cut Icons (one green shield on d/t and one quad-colored shield on t/b)
  • two small gray Prompts that intermitteningly appear at the bottom of the screen (one saying "Malicious program has been detected. Click here to protect your computer." and the other saying "...reader_sl.exe is infected with a W32.Blaster.Worm.")

ATTEMPTED TO...

Being that my husband had a rogue run-in a while back, I'm familar w/ the fakeware scheme; as well as trying to "Go to the last good config." via Safemode, which I did attempt, obviously to no avail.  I haven't tried anything more than that though, for fear I might do more harm than good, and being that I really have no idea (technically) what I'm dealing w/ here.

 

ADDITIONAL INFO

Plus there's the issue involving that vaguely aforementioned "snag" (one of the things I was hoping to gain more insight on during that D/D/Go search "ironically" gone awry).  The "snag" is that I have these two error messages that pop up every time I boot my pc; a seemingly benign symptom, left over from a couple months back when my daughter accidently forgot about the no-copy-and-pasting Internet rule.  MSE seemed to have readily handled what ever it was that snuck past the FW, except for these two e/msgs that made their first appearances, when the pc was rebooted the following day.  Ran some more scanners w/ each detecting nothing, and besides the e/msgs intercepting the startup process just after the d/t loads and just until each msg is closed out, everything else appears normal.  Thus, I could've probably just tried deselectg the suspected source listed in the S/C manager, but even if that inhibited one or both e/msgs from appearg, that S/U file, along w/ what ever other uninvited remnants that have been left to lurk elsewhere, would still be there.  So I opted not to deselect or mess w/ anything until I could learn more and implement real solutions.  And under the current circumstances, I'm not sure that, that was a bad thing.

 

The reason being because, since being infected w/ the fakeware, I quickly realized that when I restarted my system, those (pesky?) e/msgs are still the first things to pop up (w/ the d/t), which means the "Internet Security (Pro?)" can't load its fakeware and take my d/t hostage, unless I close out those two e/msgs.  And even with those e/msgs anchored on my d/t, all my d/t items/apps are accessible and my pc can pretty much function as normal, w/ the exception of no AV protection (good or malicious).  So I could've probably just run my MWB scanner, or whatever, but honestly I'm not really interested in trying to take on any more of this malware stuff w/o you pros guiding the way.  And I'm sure, to avoid an even more potentially complicated mess, that's what you'd prefer anyway.  I did, however, take another peek in msconfig, and I compared a month-old snapshot w/ a new one and, of course, ascertained the presence of a new startup file called "midefender" (assuming is linked to the fakeware), that is parked right above the file "CONNEC~1" (presumably linked to the e/msgs).  This probably does little-to-nothing to help you, I don't know, but if anything, maybe all my novice "duh!" moments, and such, will amuse?! ;)

 

So that is basically the extent of my current pc troubles (let's hope), and so despite any potential TMI stuff or my obvious lack of worthwhile techiness, if you could ever so kindly, take pity and help me properly eradicate all the scumware and their "pesky" leftovers that I failed (miserably) to keep out, I'd be ever so grateful.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 9:41:35 on 2013-08-04
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1278.899 [GMT -7:00]
.
AV: Advanced Antispyware Solution *Enabled/Updated* {BA8F2228-8F60-4061-9AFD-1ECA43261CA6}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Advanced Antispyware Solution *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://duckduckgo.com/privacy.html
uSearch Bar = hxxp://my.netzero.net/s/search?r=minisearch
uSearch Page = hxxp://my.netzero.net/s/search?r=minisearch
mSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
mSearchAssistant = hxxp://www.mybluelight.com/s/search?r=minisearch
uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
uWindows: Run = c:\docume~1\admin\locals~1\applic~1\connec~1\CONNEC~1.EXE
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: ZeroBar: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - LocalServer32 - <no file>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Internet Security] c:\documents and settings\all users\application data\midefender.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WMP110] c:\program files\linksys\wmp110\WMP110.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQAwAEEALQBOADgASwBKAFAALQBUAFEATQAyAE4ALQBOAFAAVwA3AFIALQBMAFcAVwBBAFkALQBGAFYAQgBQAFQA"&"inst=NwA2AC0ANQAwADkAMwAxADcAMQA2ADYALQBYAE8AMwA2ACsAMQAtAE4AMQBEACsAMQAtAFQAQgA5ACsAMgAtAFAATAArADkA"&"prod=92"&"ver=9.0.872
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowRun = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277299747875
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{CA4303DF-7266-4FBA-A8AF-2B948847AC74} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 195296]
R2 GTWPSService;GTWPSSRV;c:\program files\linksys\wmp110\gtwpssrv.exe [2011-8-5 34816]
R2 WLSng Service;WLSng Service;c:\program files\linksys\wmp110\WLSngS.exe [2011-8-5 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2011-8-5 57344]
R3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [2011-8-5 1299520]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-10-10 18560]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\linksys\wmp110\jswpsapi.exe [2011-8-5 352338]
.
=============== Created Last 30 ================
.
2013-07-21 00:24:09 839168 ----a-w- c:\documents and settings\all users\application data\midefender.exe
2013-07-20 00:51:58 7143960 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{911f4866-64d0-4ee5-a9da-ad5e14a536e2}\mpengine.dll
2013-07-18 15:14:31 7143960 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-07-16 13:30:00 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-16 13:29:59 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-08 06:55:44 385024 ----a-w- c:\windows\system32\html.iec
2013-06-07 21:56:06 920064 ----a-w- c:\windows\system32\wininet.dll
2013-06-07 21:56:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-07 21:56:05 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-06-04 07:23:02 562688 ----a-w- c:\windows\system32\qedit.dll
2013-06-04 01:40:45 1876736 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH:  9:44:09.85 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 05 August 2013 - 10:35 AM


Hello rsqme

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 05 August 2013 - 03:33 PM

Hi Gringo, thanks for your reply and sorry for the delayed response.  I just read and printed your instructions, but I just have a few questions before I dive in:

 

1)  Should I be executing each step via Safemode?  As I mentioned in my first post, as long as I don't close out those two error messages, the fakware can't take my desktop hostage, so I've been taking advantage of that for the time being because Safemode can be so cumbersome.  So please just let me know if I need to be in Safemode or in Regular Mode (w/ or w/o the error messages closed out?).

 

2)  When shutting down protection software (for Junkware RT), does that include the FW and the AV (though I'm not sure my MSE AV is even enabled because of the e/msgs and fakeware)?

 

(Sorry if tend to ask kind of commonsense/inane questions thru/out this process...I just want to make sure I don't screw anything up:)



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 05 August 2013 - 06:48 PM

Hello


Don't worry the only dumb question is one not asked

run in normal when possible

shut down what you can.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 05 August 2013 - 08:04 PM

Okay Gringo,

I ran AdwCleaner and the text file was blocked by the error messages (meaning it did not show up on my desktop, so I had to retrieve it the other way (manually).  Here is the content from that log, and I am now going to download/run Junkware RT and will post those results after it's done...

 

 

# AdwCleaner v2.306 - Logfile created 08/05/2013 at 17:31:11
# Updated 19/07/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Admin - YOUR-VVX88VYRXO
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Admin\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://my.netzero.net/s/search?r=minisearch --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://my.netzero.net/s/search?r=minisearch --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://www.mybluelight.com/s/search?r=minisearch --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\SearchUrl - (Par défaut)] = hxxp://my.netzero.net/s/search?r=minisearch --> Empty data

*************************

AdwCleaner[S1].txt - [3726 octets] - [05/08/2013 17:31:11]

########## EOF - C:\AdwCleaner[S1].txt - [3786 octets] ##########



#6 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 05 August 2013 - 09:00 PM

So after Junkware finished, both error messages disappeared and the rogue fakeware (Internet Security Pro) didn't splash over my screen, BUT both the error message file (CONNEC~1) and the fakeware file (midefender) are still present in msconfig, and the Internet Security Pro short-cut icon is still planted on my desktop.  Also my MSE still is not present in the taskbar.  Below is the Junkware log.  Not sure what to do next so I will await your next instruction. Thx 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.3 (08.04.2013:1)
OS: Microsoft Windows XP x86
Ran by Admin on Mon 08/05/2013 at 18:20:32.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{11961824-9362-4341-93CE-BD3510EBCF4B}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F4F2A080-9856-47FA-92DC-8B98BEAD2C1A}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\Admin\Local Settings\Application Data\visi_coupon"
Successfully deleted: [Folder] "C:\Program Files\bigfix"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/05/2013 at 18:27:36.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 05 August 2013 - 09:58 PM


Hello rsqme

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 05 August 2013 - 10:09 PM

Okay,

 

I will go ahead and print out the introductions and report back with the results when all is done.



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 05 August 2013 - 10:40 PM

I will check on you later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 06 August 2013 - 12:14 AM

Hi Gringo,

 

The message below In bold is one I tried to post to you about 20 minutes but got disconnected when I tried to post it, and then couldn't get an internet connection, so please disregard it now.  I just went ahead and restarted my computer instead of clicking "ok" and allowing combofix continue.  After restarting my computer, those error messages came back (unsurpisingly).  So how do I make sure all protective software is disabled so i can run combofix w/o further problems, or should i do something else? Thx (and sorry for the hassle but these things happen, right?!) 

 

Gringo,

I assumed my FW and MSE were disabled because I manually disabled the FW and still couldn't even access MSE when I tried to disable it (both before I started combofix) and this warning popped up while combofix was running (see 1st snapshot below).  As you can see the warning is also saying "Advanced Antispyware Solution" is still active and I don't even know what that is (never heard of it). I also checked the WF and MSE settings in control panel and they say both are disabled (see 2nd snapshot below).  Do I click "ok" and let combofix continue???

 

Okay, I guess i can't show you the snapshots because I can't seem to insert them.  Is there a way I can, or do you want me to try and described everything they are saying.  Sorry if i'm not making sense.  I'm really tired and wasn't expecting to have to deal w/ this at night.  I kept checking for replies today, but kept missing you because i wasn't being notified in time or at all.  So please just bear with me and explain to me exactly what i should do when you get a chance.  Do I click ok and see what happens or do i restart my pc or what?  Thx



#11 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 06 August 2013 - 01:32 AM

Me again...
Well, you seemed to be offline again, and I'm really exhausted, so I guess it's best if we just try and continue taking care of my malware mayhem tomorrow. I'm sure you could use a break too, and just review my last post (the one before this one) tomorrow (when I'm a little less delirious and rested) and we can hopefully figure out the protection software disabling thing so I can try and rerun combofix again or whatever it is you'd like me to do. I went in my profile settings and realized that selecting to be alerted by the "notification" option is probably the better way to go. I only had the "email" notification options selected. So hopefully now that I've selected both, that will give me a better chance of not taking so long to know when you've replied. Anyway, please know that I know I'm not the only one you are trying to help and I do very appreciate you time and patience. So with that said, we'll try again tomorrow. Thx Gringo :)

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 06 August 2013 - 09:10 AM

Hello rsqme

Go ahead and run combofix again and when you get the warning just OK it and continue


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 06 August 2013 - 11:12 AM

Morning Gringo

Okay I will run it again and report back when it's done.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:24 AM

Posted 06 August 2013 - 11:25 AM

I will be around


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 rsqme

rsqme
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:24 AM

Posted 06 August 2013 - 12:06 PM

Okay, two warning messages came up again...I clicked ok to allow Combofix to continue.  Shortly after the prompt to install the Recovery Console software popped up...I clicked yes to allow it, but it said I don't have an Internet connection.  I tried clicking IE icon and the browser opens but can't connect to the Internet.  My Wireless Network Connection manager says I have a connection but for some reason with the Combofix running, I can't get a viable connection.  This happened yesterday too, when running Combofix.  Should I restart my pc again and see if I can connect again and manually and download the Recovery Console w/o Combofix running, and then try to rerun Combofix once its installed?  BTW:  I am communicating w/ u on my husband's laptop at the moment.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users