Fake alert block access to AV sites

March 4, 2010 at 15:07:08
Specs: Windows XP
Hi: I was able to remove the fake-alert Trojan, but it still won't let me access anti-virus web sites, so there must be something else to do. Any suggestions?

See More: Fake alert block access to AV sites

Report •


#1
March 4, 2010 at 15:15:24
You are still infected with something, these scans will help find the problem.

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
March 4, 2010 at 16:24:56
I can see a way to attach files, so I've posted them here as requested. If there's a way to attach and I missed, it, my apologies.

John Blake

DDS (Ver_09-12-01.01) - NTFSx86
Run by johnb at 16:18:48.64 on Thu 03/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.218 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k netsvc6
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Documents and Settings\JohnB\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\JohnB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [Google Update] "c:\documents and settings\johnb\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\johnb\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: chase.com
Trusted Zone: nmspei-dc
Trusted Zone: nmspei.net
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192235538158
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnb\applic~1\mozilla\firefox\profiles\8jau4gjx.default\
FF - plugin: c:\documents and settings\johnb\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 o6ko;ML Display Class Docfile Intel;c:\windows\system32\drivers\o6ko.sys [2007-4-21 32768]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 srvoko6;Security List Class Service Secondary OpcEnum Fonts Control;c:\windows\system32\svchost.exe -k netsvc6 [2001-8-23 14336]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\naveng.sys [2010-3-3 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100303.005\navex15.sys [2010-3-3 1324720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-23 135664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-03-04 20:34:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-04 20:34:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-04 17:26:49 0 d-----w- c:\docume~1\johnb\applic~1\Malwarebytes
2010-03-04 17:26:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-04 17:26:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-04 17:26:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 17:26:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-04 17:25:38 0 ----a-w- c:\windows\VPC32.INI
2010-03-04 01:02:35 0 d-----w- c:\windows\pss
2010-03-04 00:23:09 1 ----a-w- c:\windows\lgo
2010-03-04 00:17:32 1 ----a-w- c:\windows\ligh
2010-03-02 17:28:31 0 d-----w- c:\program files\iPod
2010-03-02 17:28:02 0 d-----w- c:\program files\iTunes
2010-03-02 17:28:02 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-02 17:18:01 0 d-----w- c:\program files\Bonjour
2010-02-25 23:33:11 0 d-sh--w- c:\documents and settings\johnb\IECompatCache
2010-02-25 20:30:43 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-25 20:30:40 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-02-25 20:30:26 0 d-----w- c:\windows\Logs
2010-02-25 20:30:23 0 d-----w- c:\program files\Winamp Detect
2010-02-25 20:30:15 0 d-----w- c:\program files\Winamp Toolbar
2010-02-25 20:30:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2010-02-23 21:37:31 0 d-----w- c:\docume~1\johnb\applic~1\j2 Global
2010-02-23 21:36:54 0 d-----w- c:\docume~1\johnb\applic~1\eFax Messenger
2010-02-23 21:36:48 0 ----a-w- c:\windows\system32\eFax_4_4_Port
2010-02-23 21:36:47 0 d-----w- c:\docume~1\alluse~1\applic~1\eFax Messenger 4.4 Output
2010-02-23 21:36:22 0 d-----w- c:\program files\eFax Messenger 4.4
2010-02-23 21:24:22 0 d-----w- c:\docume~1\johnb\applic~1\Calyx Software
2010-02-23 21:14:59 3245 ----a-w- c:\windows\system32\wbem\Outlook_01cab4cd417f5c0f.mof
2010-02-23 21:01:27 0 d-sh--w- c:\documents and settings\johnb\PrivacIE
2010-02-23 21:00:20 0 d-sh--w- c:\documents and settings\johnb\IETldCache
2010-02-22 22:54:06 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-09-05 17:12:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090520080906\index.dat
2009-11-02 21:12:33 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-11-02 21:12:33 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-11-02 21:20:32 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009110220091103\index.dat
2009-11-02 21:18:09 180224 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:19:45.36 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST

THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/12/2007 3:00:27 PM
System Uptime: 3/4/2010 11:24:24 AM (5 hours

ago)

Motherboard: MICRO-STAR INC. | | MS-6580
Processor: Intel(R) Pentium(R) 4

CPU 2.40GHz | FC-478 | 2405/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 60.195 GiB

free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is Removable
X: is NetworkDisk (NTFS) - 205 GiB total,

34.079 GiB free.
Z: is NetworkDisk (NTFS) - 205 GiB total,

34.079 GiB free.

==== Disabled Device Manager Items

=============

==== System Restore Points ===================

RP760: 2/22/2010 3:01:39 PM - System Checkpoint
RP761: 2/23/2010 4:00:57 AM - Software

Distribution Service 3.0
RP762: 2/23/2010 1:06:23 PM - Software

Distribution Service 3.0
RP763: 2/23/2010 1:19:01 PM - Installed Point

7.2.
RP764: 2/23/2010 1:36:38 PM - Installed eFax

Messenger
RP765: 2/24/2010 1:50:14 PM - System Checkpoint
RP766: 2/25/2010 12:30:36 PM - Installed

DirectX
RP767: 2/26/2010 5:16:12 PM - System Checkpoint
RP768: 2/27/2010 5:30:12 PM - System Checkpoint
RP769: 2/28/2010 6:30:14 PM - System Checkpoint
RP770: 3/1/2010 7:30:14 PM - System Checkpoint
RP771: 3/2/2010 8:30:17 PM - System Checkpoint
RP772: 3/3/2010 8:37:58 PM - System Checkpoint
RP773: 3/4/2010 12:33:26 PM - Installed

Java(TM) 6 Update 18

==== Installed Programs ======================

Abacast Distributed Live
ACT!
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Critical Update for Windows Media Player 11

(KB959772)
eFax Messenger
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1

(KB958484)
Hotfix for Windows Internet Explorer 7

(KB947864)
Hotfix for Windows Media Format 11 SDK

(KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intact Document Solution
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 18
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update

(KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for

Windows XP
Microsoft Internationalized Domain Names

Mitigation APIs
Microsoft National Language Support Downlevel

APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature

Pack 1.0
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Point
Point 7.2
QuickTime
Realtek AC'97 Audio
Safari
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7

(KB938127)
Security Update for Windows Internet Explorer 7

(KB939653)
Security Update for Windows Internet Explorer 7

(KB942615)
Security Update for Windows Internet Explorer 7

(KB944533)
Security Update for Windows Internet Explorer 7

(KB950759)
Security Update for Windows Internet Explorer 7

(KB953838)
Security Update for Windows Internet Explorer 7

(KB956390)
Security Update for Windows Internet Explorer 7

(KB958215)
Security Update for Windows Internet Explorer 7

(KB960714)
Security Update for Windows Internet Explorer 7

(KB961260)
Security Update for Windows Internet Explorer 7

(KB963027)
Security Update for Windows Internet Explorer 8

(KB969897)
Security Update for Windows Internet Explorer 8

(KB971961)
Security Update for Windows Internet Explorer 8

(KB972260)
Security Update for Windows Internet Explorer 8

(KB974455)
Security Update for Windows Internet Explorer 8

(KB978207)
Security Update for Windows Media Player

(KB911564)
Security Update for Windows Media Player

(KB952069)
Security Update for Windows Media Player

(KB954155)
Security Update for Windows Media Player

(KB968816)
Security Update for Windows Media Player

(KB973540)
Security Update for Windows Media Player 11

(KB936782)
Security Update for Windows Media Player 11

(KB954154)
Security Update for Windows Media Player 6.4

(KB925398)
Security Update for Windows Media Player 9

(KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Spelling Dictionaries Support For Adobe Reader

8
Symantec AntiVirus
Update for Microsoft .NET Framework 3.5 SP1

(KB963707)
Update for Windows Internet Explorer 8

(KB971180)
Update for Windows Internet Explorer 8

(KB976662)
Update for Windows Internet Explorer 8

(KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Winamp
Winamp Detector Plug-in
Winamp Toolbar
Windows Genuine Advantage Notifications

(KB905474)
Windows Genuine Advantage Validation Tool

(KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week

========

3/4/2010 9:46:20 AM, error: sr [1] - The

System Restore filter encountered the

unexpected error '0xC0000001' while processing

the file '' on the volume 'HarddiskVolume1'.

It has stopped monitoring the volume.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7026] - The following boot-start or

system-start driver(s) failed to load: AFD

eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT

o6ko RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv

SYMTDI Tcpip
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The TCP/IP NetBIOS Helper

service depends on the AFD Networking Support

Environment service which failed to start

because of the following error: A device

attached to the system is not functioning.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The IPSEC Services service

depends on the IPSEC driver service which

failed to start because of the following error:

A device attached to the system is not

functioning.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The DNS Client service

depends on the TCP/IP Protocol Driver service

which failed to start because of the following

error: A device attached to the system is not

functioning.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The DHCP Client service

depends on the NetBios over Tcpip service which

failed to start because of the following error:

A device attached to the system is not

functioning.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The Bonjour Service service

depends on the TCP/IP Protocol Driver service

which failed to start because of the following

error: A device attached to the system is not

functioning.
3/4/2010 10:13:00 AM, error: Service Control

Manager [7001] - The Apple Mobile Device

service depends on the TCP/IP Protocol Driver

service which failed to start because of the

following error: A device attached to the

system is not functioning.
3/4/2010 10:06:28 AM, error: EventLog [6004] -

A driver packet received from the I/O subsystem

was invalid. The data is the packet.
3/1/2010 11:26:54 AM, error: SideBySide [59] -

Resolve Partial Assembly failed for

Microsoft.VC80.MFCLOC. Reference error message:

The referenced assembly is not installed on

your system. .
3/1/2010 11:26:54 AM, error: SideBySide [32] -

Dependent Assembly Microsoft.VC80.MFCLOC could

not be found and Last Error was The referenced

assembly is not installed on your system.
3/1/2010 11:22:25 AM, error: SideBySide [59] -

Generate Activation Context failed for

C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3

b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.D

LL. Reference error message: The operation

completed successfully. .

==== End Of File ===========================


Report •

#3
March 4, 2010 at 16:47:16
Thanks for all your help! I Scanned my hard drive using malwarebytes last night, but when the it tried to get an update last night, it wasn't able to access the malwarebytes website because it was blocked by FakeAlert malware. This log is from the first scan I did last night. I could do another, I suppose, but even after I removed the files, using the malwarebytes software, I still can 't access any antivrus website. I had to download the dds.scr file using another computer and copying it to my desktop. Here's last night's log. I'm doing another scan as we speak, but must leave my work computer until tomorrow. I'll check back in the morning.

Thanks again.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 9:44:20 AM
mbam-log-2010-03-04 (09-44-20).txt

Scan type: Quick Scan
Objects scanned: 147239
Time elapsed: 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\MikeB\Local Settings\Temporary Internet Files\Content.IE5\MKYEYYKJ\Soft_283s1[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Report •

Related Solutions

#4
March 4, 2010 at 17:02:19
Here's the result of the latest scan by Malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 5:01:06 PM
mbam-log-2010-03-04 (17-01-06).txt

Scan type: Quick Scan
Objects scanned: 147529
Time elapsed: 16 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#5
March 4, 2010 at 17:02:56
Lets try a different approach. Try to download/run exehelper first then try to download/run Rkill then download/run Combofix.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

You may need to download these to a cd, external drive, or usb drive and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malware . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.

Remember..your Nortons antivirus must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

Ask Question