Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

How do I remove a fake antivirus program?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

How do I remove a fake antivirus program?

Unread postby aimlesstech » December 6th, 2007, 11:42 am

Hi,

I hope you can help me. I'm trying to remove a virus from my teenage daughter's computer. Imagine that. I have fixed part of the problem- the desktop background was only available in colors. We still have a fake antivirus protection that has downloaded itself and everytime I remove it, it comes back the next time I turn on the computer. The fake is called Malware Alarm. I have Norton antivirus installed but it won't pick this one up when I run scan after scan. I have the most current updates on it too. They want to charge me $100 to hack into my computer to fix it. Yea right. This always happens around the holidays!

Thank you for your time,
Amy
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am
Advertisement
Register to Remove

Re: How do I remove a fake antivirus program?

Unread postby random/random » December 6th, 2007, 12:47 pm

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  1. Save HJTInstall.exe to your desktop.
  2. Double-click on HJTInstall.exe to run the program.
  3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  4. Accept the license agreement by clicking the "I Accept" button.
  5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  6. Click "Save log" to save the log file and then the log will open in Notepad.
  7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  8. Come back here to this thread and paste the log in your next reply.
  9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 6th, 2007, 9:06 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:49 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1137125262\ee\aolsoftware.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MalwareAlarm\MalwareAlarm.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Norton AntiVirus\NAVW32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137125262\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [pi] C:\WINDOWS\system32\pi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [pi] C:\WINDOWS\system32\pi.exe
O4 - HKLM\..\RunServices: [bbdlaa] C:\WINDOWS\system32\bbdlaa.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk572YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/AL ... _2-0-0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4472310156
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://doimail.doi.state.ne.us/dwa7W.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: awvtq - awvtq.dll (file missing)
O20 - Winlogon Notify: imgac - C:\WINDOWS\Cursors\imgac.dll (file missing)
O20 - Winlogon Notify: windos - C:\WINDOWS\msagent\intl\windos.dll (file missing)
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://x5f.xanga.com/2e18912309c3515249 ... 928580.gif

--
End of file - 14165 bytes
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby random/random » December 7th, 2007, 2:02 pm

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 7th, 2007, 11:24 pm

ComboFix 07-12-07.3 - Kari McGrath 2007-12-07 21:05:14.1 - NTFSx86
Running from: C:\Documents and Settings\Kari McGrath\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\family\Application Data\DOBE~1
C:\Documents and Settings\family\My Documents\WNSXS~1
C:\Documents and Settings\Kari McGrath\Application Data\ASEMBL~1
C:\Program Files\asks~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\ScreenSaver\Images\00799F21.urr
C:\Program Files\FunWebProducts\Shared\005D80D4.dat
C:\Program Files\FunWebProducts\Shared\016EF9CD.dat
C:\Program Files\FunWebProducts\Shared\Cache\CheckersAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\ChessAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\EnableDisableAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\NoSettingAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\ReversiAIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\0003A77C
C:\Program Files\MyWebSearch\bar\Cache\0004CCC2
C:\Program Files\MyWebSearch\bar\Cache\000650A3.bin
C:\Program Files\MyWebSearch\bar\Cache\00065BEE.bin
C:\Program Files\MyWebSearch\bar\Cache\0007A3B0.bin
C:\Program Files\MyWebSearch\bar\Cache\001AE725.bin
C:\Program Files\MyWebSearch\bar\Cache\001AF389.bin
C:\Program Files\MyWebSearch\bar\Cache\001AF473.bin
C:\Program Files\MyWebSearch\bar\Cache\001AF54E.bin
C:\Program Files\MyWebSearch\bar\Cache\0024322C.bin
C:\Program Files\MyWebSearch\bar\Cache\0024343F.bin
C:\Program Files\MyWebSearch\bar\Cache\00243568.bin
C:\Program Files\MyWebSearch\bar\Cache\0024422A
C:\Program Files\MyWebSearch\bar\Cache\0039817F.bin
C:\Program Files\MyWebSearch\bar\Cache\00398353.bin
C:\Program Files\MyWebSearch\bar\Cache\00398641.bin
C:\Program Files\MyWebSearch\bar\Cache\00398A1A.bin
C:\Program Files\MyWebSearch\bar\Cache\0039BE97.bin
C:\Program Files\MyWebSearch\bar\Cache\0039BFD0.bin
C:\Program Files\MyWebSearch\bar\Cache\0039C0BA.bin
C:\Program Files\MyWebSearch\bar\Cache\003AA6F4.bin
C:\Program Files\MyWebSearch\bar\Cache\016E4ED7
C:\Program Files\MyWebSearch\bar\Cache\016E5B2B.bin
C:\Program Files\MyWebSearch\bar\Cache\016E5C73.bin
C:\Program Files\MyWebSearch\bar\Cache\016E5DDB.bin
C:\Program Files\MyWebSearch\bar\Cache\016E5F52.bin
C:\Program Files\MyWebSearch\bar\Cache\017B8FC9
C:\Program Files\MyWebSearch\bar\Cache\02DB28B2.bin
C:\Program Files\MyWebSearch\bar\Cache\02DB2A39.bin
C:\Program Files\MyWebSearch\bar\Cache\02DB2B33.bin
C:\Program Files\MyWebSearch\bar\Cache\156EB941
C:\Program Files\MyWebSearch\bar\Cache\1D8FBC55
C:\Program Files\MyWebSearch\bar\Cache\2D19067D
C:\Program Files\MyWebSearch\bar\Cache\45B4B84A
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_bfeats.dat
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\racle~1
C:\Program Files\stem~1
C:\Program Files\wnsxs~1
C:\Program Files\ystem~1
C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\dobe~1
C:\WINDOWS\mbols~1
C:\WINDOWS\racle~1
C:\WINDOWS\sstem3~1
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\Program Files\MyWebSearch

.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-06 19:00 . 2007-12-06 19:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-05 22:31 . 2007-12-05 22:31 <DIR> d-------- C:\WINDOWS\system32\backuped
2007-12-05 22:31 . 2007-12-05 22:34 <DIR> d-------- C:\Program Files\True Sword 4
2007-12-05 22:31 . 2007-12-05 22:31 <DIR> d-------- C:\Documents and Settings\Kari McGrath\Application Data\True Sword
2007-12-04 19:46 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-04 18:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 18:55 . 2007-12-04 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-04 07:00 . 2007-08-20 04:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-04 07:00 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-04 07:00 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-04 07:00 . 2007-08-20 04:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-04 07:00 . 2007-08-20 04:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-04 07:00 . 2007-08-20 04:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-04 07:00 . 2007-08-20 04:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-04 07:00 . 2007-08-20 04:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-04 07:00 . 2007-08-17 04:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-04 06:52 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-25 20:25 . 2007-11-25 20:25 <DIR> d-------- C:\Program Files\MalwareAlarm
2007-11-25 20:25 . 2007-11-25 20:25 1,149,472 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 02:46 --------- d-----w C:\Program Files\Plaxo
2007-12-08 02:46 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-07 02:01 --------- d-----w C:\Program Files\LimeWire
2007-12-06 03:34 --------- d-----w C:\Program Files\Symantec
2007-12-06 03:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-06 03:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-06 03:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-06 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-05 00:57 --------- d-----w C:\Program Files\Java
2007-12-05 00:40 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-04 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-18 17:55 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-31 01:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 01:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 01:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 01:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 01:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 01:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 01:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 01:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 01:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2006-07-28 16:57 280,064 ----a-w C:\Documents and Settings\family\Application Data\tizhook.bin
2005-10-26 01:01 179,246 --sha-w C:\WINDOWS\Cursors\cagmi.ini2
2005-10-24 00:45 375,820 --sha-w C:\WINDOWS\Cursors\cagmi.bak2
2005-08-31 02:41 178,679 --sha-w C:\WINDOWS\Cursors\cagmi.bak1
2005-08-31 02:41 178,679 --sha-w C:\WINDOWS\Cursors\cagmi.bak1
2005-10-24 00:45 375,820 --sha-w C:\WINDOWS\Cursors\cagmi.bak2
2005-10-26 01:01 179,246 --sha-w C:\WINDOWS\Cursors\cagmi.ini2
2005-06-19 19:30 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe" [2007-10-10 15:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"Registry Defender"="C:\Program Files\Registry Defender Trial\RegClean.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 18:08]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
"MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2007-11-25 20:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 15:03]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 09:46]
"Motive SmartBridge"="C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 09:32]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 12:12]
"HostManager"="C:\Program Files\Common Files\AOL\1137125262\ee\AOLHostManager.exe" [2006-04-20 11:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 10:59]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22]
"pi"="C:\WINDOWS\system32\pi.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"pi"="C:\WINDOWS\system32\pi.exe" []
"bbdlaa"="C:\WINDOWS\system32\bbdlaa.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

C:\Documents and Settings\Kari McGrath\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-08-09 13:22:03]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-01-19 15:33:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 2.0.lnk - C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe [2005-09-11 18:00:09]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 02:47:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtq]
awvtq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imgac]
C:\WINDOWS\Cursors\imgac.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\windos]
C:\WINDOWS\msagent\intl\windos.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=


.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:41:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-05-17 03:01:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-12-08 03:00:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kari McGrath.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-07 21:14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-07 21:17:15 - machine was rebooted
.
--- E O F ---
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 7th, 2007, 11:32 pm

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 12/07/2007
The current time is: 21:28:11.46


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby random/random » December 8th, 2007, 11:25 am

Go to Start> Control Panel> Add or Remove Programs.

Remove the following program, if it is present.


  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\Cursors\cagmi.ini2
    C:\WINDOWS\Cursors\cagmi.bak2
    C:\WINDOWS\Cursors\cagmi.bak1
    C:\WINDOWS\Cursors\cagmi.bak1
    C:\WINDOWS\Cursors\cagmi.bak2
    C:\WINDOWS\Cursors\cagmi.ini2
    Folder::
    C:\Program Files\MalwareAlarm
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MalwareAlarm"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "pi"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "pi"=-
    "bbdlaa"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtq]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\imgac]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\windos]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 8th, 2007, 6:12 pm

sorry, combofix did not put a shortcut on my desktop and I can't figure out how to get it there without it running itself again. I looked for a way to save it to the desktop when I installed it but there wasn't any that I could see. What do I do now? I did look for the malware program but I removed it from the add or remove programs last week and it's still hanging around somewhere. I did not see it on the list today. Thanks, Amy
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 8th, 2007, 6:36 pm

Nevermind! 8) I figured it out!

ComboFix 07-12-07.3 - Kari McGrath 2007-12-08 16:25:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -6:00]
Running from: C:\Documents and Settings\Kari McGrath\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kari McGrath\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\WINDOWS\Cursors\cagmi.bak1
C:\WINDOWS\Cursors\cagmi.bak2
C:\WINDOWS\Cursors\cagmi.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MalwareAlarm
C:\Program Files\MalwareAlarm\MalwareAlarm.exe
C:\Program Files\MalwareAlarm\MalwareAlarm.lic
C:\Program Files\MalwareAlarm\MalwareAlarm0.ma
C:\Program Files\MalwareAlarm\MalwareAlarm1.ma
C:\WINDOWS\Cursors\cagmi.bak1
C:\WINDOWS\Cursors\cagmi.bak2
C:\WINDOWS\Cursors\cagmi.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-06 19:00 . 2007-12-06 19:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-05 22:31 . 2007-12-08 16:19 <DIR> d-------- C:\Program Files\True Sword 4
2007-12-05 22:31 . 2007-12-05 22:31 <DIR> d-------- C:\Documents and Settings\Kari McGrath\Application Data\True Sword
2007-12-04 19:46 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-04 18:57 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-04 18:55 . 2007-12-04 18:55 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-04 07:00 . 2007-08-20 04:04 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-04 07:00 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-04 07:00 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-04 07:00 . 2007-08-20 04:04 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-04 07:00 . 2007-08-20 04:04 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-04 07:00 . 2007-08-20 04:04 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-04 07:00 . 2007-08-20 04:04 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-04 07:00 . 2007-08-20 04:04 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-04 07:00 . 2007-08-17 04:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-04 06:52 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-25 20:25 . 2007-11-25 20:25 1,149,472 --a------ C:\Install

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 03:15 --------- d-----w C:\Program Files\Plaxo
2007-12-08 03:15 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-07 02:01 --------- d-----w C:\Program Files\LimeWire
2007-12-06 03:34 --------- d-----w C:\Program Files\Symantec
2007-12-06 03:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-06 03:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-06 03:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-06 03:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-06 00:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-05 00:57 --------- d-----w C:\Program Files\Java
2007-12-05 00:40 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-04 23:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-18 17:55 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-31 01:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-31 01:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 01:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 01:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 01:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 01:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-31 01:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 01:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 01:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 01:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 01:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2006-07-28 16:57 280,064 ----a-w C:\Documents and Settings\family\Application Data\tizhook.bin
2005-06-19 19:30 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe" [2007-10-10 15:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"Registry Defender"="C:\Program Files\Registry Defender Trial\RegClean.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 18:08]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 15:03]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 C:\WINDOWS\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 C:\WINDOWS\AGRSMMSG.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 09:46]
"Motive SmartBridge"="C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 09:32]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 12:12]
"HostManager"="C:\Program Files\Common Files\AOL\1137125262\ee\AOLHostManager.exe" [2006-04-20 11:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 10:59]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 19:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

C:\Documents and Settings\Kari McGrath\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-08-09 13:22:03]
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-01-19 15:33:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 2.0.lnk - C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe [2005-09-11 18:00:09]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 02:47:22]


.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:41:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-05-17 03:01:00 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
"2007-12-08 03:00:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kari McGrath.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 16:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 16:30:25
C:\ComboFix2.txt ... 2007-12-07 21:17
.
--- E O F ---
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 8th, 2007, 6:38 pm

Here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:26 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1137125262\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137125262\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk572YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/AL ... _2-0-0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4472310156
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://doimail.doi.state.ne.us/dwa7W.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://x5f.xanga.com/2e18912309c3515249 ... 928580.gif

--
End of file - 12781 bytes
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby random/random » December 8th, 2007, 9:05 pm

Go to Start> Control Panel> Add or Remove Programs.

Remove the following programs, if they are present.

  • Registry Defender - see here
  • Microsoft antispyware << This hasn't been updated for a very long time. The latest version is now Windows Defender


Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xmk572YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete this folder:

C:\Program Files\Registry Defender Trial\

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with anew HijackThis log & a description of any remaining problems
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 10th, 2007, 8:03 pm

Eset:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2712 (20071209)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f7e5f27d615b424e80242d3e3209b9b0
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-10 04:21:01
# local_time=2007-12-09 10:21:01 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=559320
# found=5
# scan_time=7077
C:\Documents and Settings\family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-25df0b80-53a1448b.zip Java/Bytverify trojan 3C7B45F7180EAB09E284D96B83562078
C:\Documents and Settings\family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-25df0b80-53a1448b.zip »ZIP »Gummy.class Java/Bytverify trojan 00000000000000000000000000000000
C:\Program Files\Setup\Setup.exe probably a variant of Win32/Adware.Agent application D00D3AF75C3F5E6163E78148CC6746F8
C:\qoobox\Quarantine\C\Program Files\MalwareAlarm\MalwareAlarm.exe.vir a variant of Win32/Adware.SpySheriff application 103A46CB90DFECDB8B49ABDA151C8222
C:\RECYCLER\S-1-5-21-2403945234-3722374550-1420884123-1015\Dc2\backuped\3\warnhp.html Win32/Oleloa.H trojan 31C3F3CC3F88AAFF43EA0F2321D15731
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 10th, 2007, 8:06 pm

Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:01 PM, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Common Files\AOL\1137125262\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137125262\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/AL ... _2-0-0.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4472310156
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://doimail.doi.state.ne.us/dwa7W.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://x5f.xanga.com/2e18912309c3515249 ... 928580.gif

--
End of file - 12355 bytes
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby aimlesstech » December 11th, 2007, 10:37 am

Other things that are strange: when I restart my computer, the first thing that appears is a dos comment asking if it should start Windows home edition or buisness and gives a countdown. When I'm in Windows, there is a box with nothing in it and like a crypt code at the top of the box and it has a place to click ok at the bottom. After I get through that, the computer is pretty much back to normal as I can tell so far. Thanks, Amy
aimlesstech
Regular Member
 
Posts: 15
Joined: December 6th, 2007, 11:30 am

Re: How do I remove a fake antivirus program?

Unread postby random/random » December 11th, 2007, 1:28 pm

I'm not sure what's causing those remaining problems, so I'd like to check a bit deeper

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)

Then close all windows except HijackThis and click Fix Checked

  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware