PC Antispyware problem

[joe6352]

For about 5 days I have the same problem that I see several others have had re "Security System Protection Control Panel" and "Security System Warning" popups trying to get me to buy "PC Antispyware.". Following the instructions I've seen given to others, I downloaded HijackThis and I am attaching the scan.

Can someone tell me what to do next?

Thanks.

 

[kritius]

Download and Install SuperAntiSpyware Free

• Launch SuperAntiSpyware
• Click Check for Updates and update to the latest definitions.
• Click Scan your Computer
  • Check all boxes in the Scan Location box.
  • Check the Complete Scan radio button.
  • Click Scanning Preferences/Control Centre button.
    • Uncheck Ignore files larger than 4MB (recommended)
    • Check Scan Alternate Data Streams.
    • Click Close.
  • Click Next
• SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
• When finished it will present you with a summary of its findings.
• Click OK.
• The Removal Screen will open.
  • Check the items in the list to mark them for Quarantine.
  • Click Next and SAS will Quarantine them.

Please send me the log.

• Click the Preferences button.
  • Click the Statistics/Logs tab.
    • Logs are listed by date and time, click on the latest one to highlight it (at the top).
    • Click View log.
  • This will open a log page.
  • Attach it here please.

CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please Attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[joe6352]

Thanks, Kritius.

I'm not sure whether you mean I should send you the SuperAntiSpyware log first, and the Malwarebyte's and ComboFix logs later, or wait and send all 3 at the same time.

I've completed the SAS scan, so I'm attaching that log now. After I send this, I'm going to follow your instructions re Malwarebyte, then attach that log, then, I'll download and run ComboFix and attach that log. That is, unless I see another message from you telling me to do it differently.

I appreciate your help.

 

[kritius]

You can just attach the rest together. Are you finding the instructions ok?

 

[joe6352]

Your instructions are fine, thank you.

I am attaching the log from thw Malwarebyte's scan.

I have tried several times but cannot install (if that's the right word) ComboFix. I was able to save it to my desktop, so I have the icon, but when I double-click in order to run it, after a few seconds I get a pop-up box saying Installation failed.

Ideas?

After I first posted the this post, I tried the second "here" button in your instructions for ComboFix again. Instead of the "Installation failed" box, I get one telling me that "ComboFix.exe is not a valid Win32 application."

I'm stumped.

 

[kritius]

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
• Attach the main.txt and the extra.txt in your reply.

 

[joe6352]

Kritius,

I've had no nefarious PC Antispyware problems since I followed your instructions from 4/10/08. I am attaching the DSS logs per your instructions from earlier today.

Awaiting further instructions.

BTW, any ideas how to get the U.S. IRS (Internal Revenue Service) to believe I paid all my taxes by midnight tonight (the final due date in U.S., less than 2 hours away)?. Donations welcome.

Thanks again,

Joe 6352

 

[Blind Dragon]

File an extension

 

[joe6352]

Thank you, BD.

Is that a ".ext"?

 

[Blind Dragon]

I was referring to your taxes :grinthumb

 

[joe6352]

The unwanted popups have stopped, but should I be taking any action to correct any problems shown from the logs I have posted and/or to improve my antivirus and antimalware capabilities?

Thanks.

 

[kritius]

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\userconfig9x.dll
  C:\WINDOWS\system32winlogonpc.exe
  C:\WINDOWS\system32hoproxy.dll
  C:\WINDOWS\FVProtect.exe
  C:\WINDOWS\system32mwin32.exe
  C:\WINDOWS\a.bat
  C:\WINDOWS\system32taack.exe
  C:\WINDOWS\system32taack.dat
  C:\WINDOWS\system32sncntr.exe
  C:\WINDOWS\system32hxiwlgpm.exe
  C:\WINDOWS\system32hxiwlgpm.dat
  C:\WINDOWS\system32ssurf022.dll
  C:\WINDOWS\system32psoft1.exe
  C:\WINDOWS\system32psof1.exe
  C:\WINDOWS\system32ps1.exe
  C:\WINDOWS\system32msnbho.dll
  C:\WINDOWS\system32medup020.dll
  C:\WINDOWS\system32medup012.dll
  C:\WINDOWS\system32bsva-egihsg52.exe
  C:\WINDOWS\system32temp#01.exe
  C:\WINDOWS\system32ssvchost.exe
  C:\WINDOWS\system32ssvchost.com
  C:\WINDOWS\system32regm64.dll
  C:\WINDOWS\system32regc64.dll
  C:\WINDOWS\system32netode.exe
  C:\WINDOWS\system32mtr2.exe
  C:\WINDOWS\system32msgp.exe
  C:\WINDOWS\system32h@tkeysh@@k.dll
  C:\WINDOWS\system32dpcproxy.exe
  C:\WINDOWS\system32thun32.dll
  C:\WINDOWS\system32thun.dll
  C:\WINDOWS\system32Rundl1.exe
  C:\WINDOWS\system32msvchost.exe
  C:\Documents and Settings\Joe Kenyon\Desktopfilemanagerclient.exe
  C:\WINDOWS\system32vcatchpi.dll
  C:\WINDOWS\system32newsd32.exe
  C:\WINDOWS\system32emesx.dll
  C:\WINDOWS\system32anticipator.dll
  C:\WINDOWS\system32akttzn.exe
  C:\Documents and Settings\Joe Kenyon\DesktopFWebdEditor.exe
  C:\Documents and Settings\Joe Kenyon\Desktopfwebd.exe
  C:\WINDOWS\system32WINWGPX.EXE
  C:\WINDOWS\system32winsystem.exe
  C:\WINDOWS\system32sysreq.exe
  C:\WINDOWS\system32mssecu.exe
  C:\WINDOWS\system32bdn.com
  C:\WINDOWS\system32awtoolb.dll
  C:\WINDOWS\system32vbsys2.dll
  C:\Documents and Settings\All Users\Application Data\nwfapqfw

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[joe6352]

Thanks, Kritius. Here is the pasted info from MoveIt. Pls let me know what to do next.

LoadLibrary failed for C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\userconfig9x.dll NOT unregistered.
C:\WINDOWS\userconfig9x.dll moved successfully.
C:\WINDOWS\system32winlogonpc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hoproxy.dll NOT unregistered.
C:\WINDOWS\system32hoproxy.dll moved successfully.
C:\WINDOWS\FVProtect.exe moved successfully.
C:\WINDOWS\system32mwin32.exe moved successfully.
C:\WINDOWS\a.bat moved successfully.
C:\WINDOWS\system32taack.exe moved successfully.
C:\WINDOWS\system32taack.dat moved successfully.
C:\WINDOWS\system32sncntr.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.exe moved successfully.
C:\WINDOWS\system32hxiwlgpm.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssurf022.dll NOT unregistered.
C:\WINDOWS\system32ssurf022.dll moved successfully.
C:\WINDOWS\system32psoft1.exe moved successfully.
C:\WINDOWS\system32psof1.exe moved successfully.
C:\WINDOWS\system32ps1.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32msnbho.dll NOT unregistered.
C:\WINDOWS\system32msnbho.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup020.dll NOT unregistered.
C:\WINDOWS\system32medup020.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup012.dll NOT unregistered.
C:\WINDOWS\system32medup012.dll moved successfully.
C:\WINDOWS\system32bsva-egihsg52.exe moved successfully.
C:\WINDOWS\system32temp#01.exe moved successfully.
C:\WINDOWS\system32ssvchost.exe moved successfully.
C:\WINDOWS\system32ssvchost.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regm64.dll NOT unregistered.
C:\WINDOWS\system32regm64.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regc64.dll NOT unregistered.
C:\WINDOWS\system32regc64.dll moved successfully.
C:\WINDOWS\system32netode.exe moved successfully.
C:\WINDOWS\system32mtr2.exe moved successfully.
C:\WINDOWS\system32msgp.exe moved successfully.
< C:\WINDOWS\system32h@tkeysh@@k.dll >
LoadLibrary failed for C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32h@tkeysh@@k.dll NOT unregistered.
C:\WINDOWS\system32h@tkeysh@@k.dll moved successfully.
C:\WINDOWS\system32dpcproxy.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun32.dll NOT unregistered.
C:\WINDOWS\system32thun32.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun.dll NOT unregistered.
C:\WINDOWS\system32thun.dll moved successfully.
C:\WINDOWS\system32Rundl1.exe moved successfully.
C:\WINDOWS\system32msvchost.exe moved successfully.
C:\Documents and Settings\Joe Kenyon\Desktopfilemanagerclient.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32vcatchpi.dll NOT unregistered.
C:\WINDOWS\system32vcatchpi.dll moved successfully.
C:\WINDOWS\system32newsd32.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32emesx.dll NOT unregistered.
C:\WINDOWS\system32emesx.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32anticipator.dll NOT unregistered.
C:\WINDOWS\system32anticipator.dll moved successfully.
C:\WINDOWS\system32akttzn.exe moved successfully.
C:\Documents and Settings\Joe Kenyon\DesktopFWebdEditor.exe moved successfully.
C:\Documents and Settings\Joe Kenyon\Desktopfwebd.exe moved successfully.
C:\WINDOWS\system32WINWGPX.EXE moved successfully.
C:\WINDOWS\system32winsystem.exe moved successfully.
C:\WINDOWS\system32sysreq.exe moved successfully.
C:\WINDOWS\system32mssecu.exe moved successfully.
C:\WINDOWS\system32bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32awtoolb.dll NOT unregistered.
C:\WINDOWS\system32awtoolb.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vbsys2.dll NOT unregistered.
C:\WINDOWS\system32vbsys2.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\nwfapqfw moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04212008_194631

 

[kritius]

Post fresh DSS logs and we'll see how theyre looking, that looked to have cleared a lot of gunk out.

How is the computer running?

 

[joe6352]

The computer seems to be running fine. It seems to be taking longer to boot up and for the Internet to open the first time I use it each time I boot up. Maybe that's because of the various anti-malware programs that I added? Nothing serious though, and then it runs fine.

The DSS icon has disappeared from my desktop. I didn't remove it, as far as I can recall, at least not intentionally. I don't know whether I should try to download it again in order to run it, or would that confuse things? I found the Deckard folder in my C drive, but I couldn't find the dss.exe file in there. Did I miss something?

Thanks,

Joe 6352

 

[kritius]

do a search for DSS if you cant find the executable then redownload it.

 

[joe6352]

I searched, but no dss.exe, so I downloaded it again.

I am attaching the main.txt notepad.

I don't see one called extra.txt this time around. Is that OK?

Thx,

Joe6352

 

[kritius]

Ill look at it tomorrow, I have to be up in 5 hours.

 

[joe6352]

So, Kritius, my computer is still running well. When you get a chance, please advise whether I should take any steps to streamline it or better protect it from malware.

Thanks,

Joe

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.co m/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)
O22 - SharedTaskScheduler: {874443fe-aa33-4ebf-a6ac-73208787e62d} - bestreak - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

 

[joe6352]

Kritius:

I ran Kaspersky scan.

Two problems:

1. I tried to attach the scan but I received a message saying "Your file of 114.1 KB bytes esceeds the forum's limit of 100.0 KB for this filetype."

2. I disabled all (I think) of my anti-spyware programs before running Kaspersky but I now realize I did not disable my antivirus program, McAfee. Does that invalidate the Kaspersky scan?

Thanks,

--Joe

 

[kritius]

It should be ok,

Can you cut the kaspersky log in two and then attach parts 1 and 2.

 

[joe6352]

OK, here is the Kaspersky scan, parts 1 and 2.

 

[kritius]

Open Spybot S&D and select recovery,
make sure all items are ticked and click purge selected items.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
  C:\Documents and Settings\All Users\Documents\My Documents\Mail\Deleted Items.dbx
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Empty the recycle bin,

There are also several item in your mailbox that are infected, I think you should look at, ive picked them out and attached them for you.

You should be able to delete them from outlook itself.

 

[joe6352]

Here is the text from MoveIt2 (BTW MoveIt's "Paste Standard List of Files/Folders to Move" bar is yellow on my screen, not light blue):

Explorer killed successfully
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll unregistered successfully.
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll moved successfully.
C:\Documents and Settings\All Users\Documents\My Documents\Mail\Deleted Items.dbx moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_102827

I emptied the Recycle bin.

I'm going to look at the emails after I submit this reply.