Solved Fake Anti-Virus disabling my system - Am I safe now?

[xhotarubi]

Everything started with a fake anti-virus pop up on my toolbar. It warned me of infection and prompted me to do a system scan. I attempted to start my task manager to kill the process, but an error message popped up claiming that my task manager .exe was infected, thus disallowing me to execute it (this persisted with every other program I attempted to open, rendering my computer useless). It also caused internet explorer to pop up annoying viagra ads which I couldn't shut down. I immediately rebooted my computer. I opened my task manager upon restarting and killed the program immediately which allowed me to perform a few virus scans with superanti-spyware... This resulted in Trojan.Agent/Gen-Rogue, Trojan.Agent/Gen-Krpytik, Rogue.AdwarePro, and Rogue.AntivirusSoft. I scanned a second time with the results: Rogue.AntivirusSoft and Trojan.Agent/Gen-Rogue[Installer]. Even after completing the second scan and rebooting my system, the annoying fake anti-virus software assaulted my desktop.
A scan from microsoft security essentials yielded nothing, and so I came here and embarked upon the 8 steps.
I downloaded Avira and it found Java/Classload.IB.2 Java Virus and Java/Classload.IC.1 Java Virus, which were quarantined.
After scanning with Mbam it appeared as if my computer returned to normalcy, however I'd like to be 100% certain.
Logs are attached sans Gmer, as it found nothing and the .log is completely blank.

 

[xhotarubi]

(DDS, Attach, and Mbam logs)

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[xhotarubi]

Extras.txt & OTL.txt

Both files are too large to post, so I've attached them instead... If you have a different request, just say the word.

 

[Broni]

You're running three AV programs, Avira, Norton and Microsoft Security Essentials.
TWO of them has to go.
If one of the removed programs will be Norton, make sure to use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
Anyone of two others can be uninstalled through "Programs & Features".

When done, attach fresh OTL log.

 

[xhotarubi]

Sorry for the delay - MSE took an eternity to figure out how to uninstall.
OTL.txt is attached.
I ran two scans post norton & MSE removal, since the first scan didn't produce an extras.txt... However, upon rereading your post, I realized that you only asked for the fresh OTL.txt, so I'm assuming that this is acceptable.

 

[Broni]

That's fine

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

==========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O4:[b]64bit:[/b] - HKLM..\Run: [RunDLLEntry] C:\Windows\system32\AmbRunE.DLL File not found
  O4 - HKLM..\Run: [eRecoveryService]  File not found
  O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}  (Reg Error: Value error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
  O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  [2010/05/05 21:50:24 | 000,854,064 | ---- | C] (Symantec Corporation) -- C:\Users\Kristi\Desktop\Norton_Removal_Tool.exe
  [2010/05/05 00:40:40 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
  [2010/03/10 00:48:39 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
  [2010/05/05 22:31:08 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\drivers\lvuvc.hs
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[xhotarubi]

Attached are the results from the "fix now" scan and the quick scan after rebooting.

 

[Broni]

Very good

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[xhotarubi]

I completed OTC's CleanUp! and the Temp File Cleaner, however, when I attempt to perform the Kapersky online scan I receive an error message saying "Kapersky Online Scanner 7.0 download and operation require Jave framework version 1.6 or later" disallowing me to press the accept button.
I disabled Avira and I just updated java when going through the eight steps earlier today/late last night, so naturally, when I check the product info, it claims to be java 1.6 (and when I try to update java, it claims that there are no further updates available)... So I really don't understand why I'm getting this message.

 

[Broni]

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Post fresh HJT log as well.

 

[Arris]

Is this the Antivirus Soft one that pretends to be part of the Windows Firewall/Defender etc suite?
I found this recently on my desktop machine. Safemode will let you get around it stopping you doing anything. I ran Spybot (http://www.safer-networking.org/index2.html) and Avast(free antivirus) to remove registry entries and files.

Also found it starting up a process named something like prxitz*****.exe. Killed that. It had also changed my IE and Opera browsers to use proxy the machine itself as a proxy server with port 5555 which gave the impression that my internet access was broken.

 

[xhotarubi]

@Broni
The ESET scanner automatically has the first box (Remove Threats) checked - should I leave that checked in addition to scan archives or should I ONLY have scan archives checked?

@ Arris
The icon on my taskbar looked similar to a windows firewall alert, however, it was obviously a fake as the image was smaller and very 'fuzzy' looking. The first time I rebooted my computer I was able to immediately kill the process which stopped it effectively and allowed me to detect it in a few scans and such. I also ran my computer in safemode in order to perform the Gmer scan, but the result was a blank text and Gmer claiming that I had no problems.
The first time I was able to open my task manager I instinctively killed a process with some gibberish name that I wasn't familiar with, which seemed to do the job, but I didn't get a chance to take the name down. By the third time I wisened up - I'm pretty sure it was ipmpxbitssd.exe.
I rarely use IE. Up until two weeks ago I used Mozilla, which kept crashing, so I changed over to Google Chrome. IE is the browser that brought up the virus's ads, and Chrome was the browser open when everything went haywire so I've been using Mozilla since the first sign of foulplay, as I didn't want the tabs to reopen upon the browser restarting and ruining my efforts thus far. However... I accidentally opened Google Chrome yesterday and (luckily) none of the pages loaded due to a connection issue (I didn't read it, just glanced at it and quickly shut it down). I attempted to access Steam yesterday which also had no connectivity to the internet. To fix it, I had to open IE and uncheck all the options on the LAN tab, however when I opened IE it also refused to load, complaining about my internet connection (which I knew was working, since I had a few Mozilla tabs up and running). The solution to Steam's disconnection from the internet seemed to carry over to IE's issue as well, and it now works fine.

 

[Broni]

@ Arris
You need to start your own topic.

@xhotarubi
Uncheck it. It's safer for me to see, what was found, just in case, there is some false positive.

 

[xhotarubi]

The ESET scan came up completely clean, which I'm guessing is why I couldn't find a way to save the list of threats found (let alone, the list at all)... So I only have the hijackthis file for you. This is the first time I've used this program so I'm hoping I did the right thing -- the quick scan. See attached.

 

[Broni]

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[xhotarubi]

Thank you so much! I really appreciate it... Everything seems to be working just fine now.

 

[Broni]

I'm glad to hear good news
Good luck and stay safe

 

[Arris]

@ Arris
You need to start your own topic.

Thanks, but I was really just offering my input as to how to get round some of the changes it makes to your system.

 

[Broni]

I'm sorry. Apparently, I didn't read your reply carefully enough