Fake Windows Security Virus

Dell Dell vostro 1500 notebook computer...
February 19, 2010 at 22:04:44
Specs: Windows XP SP 3
I am trying to fix my parents computer for them (again). They have picked up some kind of virus or malware that makes a fake windows security screen pop up and continually prompts you to purchase the anti-virus software. It also has a ton of the little yellow/red security balloons in the bottom right tray and keeps opening IE windows going to porno.com or adult.com. I have told them many times not to click on these things when they pop up because they are fake, but they never believe me. So usually I can clean the computer with a combination of Symantec Antivirus and Malwarebytes, but I can't seem to get it this time. Symantec doesnt detect anything. Malwarebytes found and deleted one file, but this didn't help any. I can only run in Safe Mode because the virus won't let anything open in normal mode. I've also disconnected it from the internet.

I have one other question too. Do you think the mass amount of viruses they keep getting could be from using XP? I have Windows 7 on my own computer and never have any problems. And as I understand it, Microsoft is sending fewer and fewer security updates for XP.

Any suggestions would be super appreciated. Thanx!


See More: Fake Windows Security Virus

Report •

#1
February 20, 2010 at 05:43:45
You may need to download these to a cd, external drive, or usb drive and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malware . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again. Once you run Combofix allow combofix to restart the compter if it ask to do so.

Download Combofix with internet explorer if possible.

You do not need to turn off Malwarebytes when running Combofix

Remember..your Nortons antivirus and any realtime antispyware program that you have such as Spybot's Tea Timer, Windows Defender, Adaware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#2
February 20, 2010 at 11:39:01
Ok, it is starting to look better already. The onslaught of pop-ups has stopped. Here are my rkill and combofix logs.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as David on 02/20/2010 at 11:23:26.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe
C:\Documents and Settings\David\Desktop\rkill.pif


Rkill completed on 02/20/2010 at 11:23:29.

-----------------------------------------------------------------------------------------

ComboFix 10-02-20.01 - David 02/20/2010 11:28:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1435 [GMT -8:00]
Running from: c:\documents and settings\David\Desktop\combofix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David\Local Settings\Application Data\{60C7EE6C-98DF-4E4F-81AA-42BDE38FE504}
c:\documents and settings\David\Local Settings\Application Data\{60C7EE6C-98DF-4E4F-81AA-42BDE38FE504}\chrome.manifest
c:\documents and settings\David\Local Settings\Application Data\{60C7EE6C-98DF-4E4F-81AA-42BDE38FE504}\chrome\content\_cfg.js
c:\documents and settings\David\Local Settings\Application Data\{60C7EE6C-98DF-4E4F-81AA-42BDE38FE504}\chrome\content\overlay.xul
c:\documents and settings\David\Local Settings\Application Data\{60C7EE6C-98DF-4E4F-81AA-42BDE38FE504}\install.rdf
c:\documents and settings\David\Local Settings\Application Data\txyloj
c:\documents and settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk
c:\windows\igesuqeb.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 05:35 . 2010-02-20 05:35 -------- d-----w- c:\program files\CCleaner
2010-02-20 05:34 . 2010-02-20 05:34 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2010-02-20 04:04 . 2010-02-20 04:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-20 03:58 . 2010-02-20 03:58 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-02-20 03:58 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 03:58 . 2010-02-20 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-20 03:58 . 2010-02-20 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 03:58 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 03:41 . 2010-02-20 19:22 0 ----a-w- c:\windows\Mvata.bin
2010-02-19 03:41 . 2010-02-19 03:41 120 ----a-w- c:\windows\Npeluqerofi.dat
2010-02-04 02:18 . 2010-02-16 03:56 -------- d-----w- c:\documents and settings\David\Tracing
2010-02-04 02:16 . 2010-02-04 02:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-04 02:16 . 2010-02-04 02:16 -------- d-----w- c:\program files\Windows Live
2010-02-04 02:11 . 2010-02-04 02:11 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 19:20 . 2009-05-26 02:31 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-14 07:17 . 2009-12-25 20:15 53744 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 11:23 . 2009-12-04 03:03 79488 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-04 06:33 . 2009-09-20 19:58 -------- d-----w- c:\documents and settings\David\Application Data\Canon
2010-02-04 02:17 . 2009-02-12 04:35 67496 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 11:17 . 2009-12-20 22:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 04:56 . 2009-02-12 03:00 -------- d-----w- c:\documents and settings\David\Application Data\Apple Computer
2010-01-14 04:55 . 2009-02-12 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-05 10:00 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 10:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 05:09 . 2009-12-31 05:09 -------- d-----w- c:\documents and settings\David\Application Data\SharePod
2009-12-25 20:00 . 2009-12-25 19:59 -------- d-----w- c:\program files\iTunes
2009-12-25 20:00 . 2009-12-25 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-25 19:59 . 2009-12-25 19:59 -------- d-----w- c:\program files\iPod
2009-12-25 19:59 . 2009-02-12 02:58 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 19:57 . 2009-12-25 19:57 -------- d-----w- c:\program files\Bonjour
2009-12-25 19:57 . 2009-12-25 19:56 -------- d-----w- c:\program files\QuickTime
2009-12-25 19:47 . 2009-12-25 19:47 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-16 18:43 . 2008-12-06 22:35 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-03-30 01:21 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-03-30 01:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-06 20:20 . 2009-12-06 20:20 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-04 18:22 . 2004-08-04 10:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 10:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 10:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 10:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 10:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-16 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-25 2220032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-17 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-17 138008]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:04 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/6/2009 6:30 PM 133104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 02:30]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-07 02:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-akjqhrlh - c:\documents and settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe
HKLM-Run-akjqhrlh - c:\documents and settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe
HKLM-Run-Rsuyewapafi - c:\windows\igesuqeb.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 11:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-02-20 11:33:32
ComboFix-quarantined-files.txt 2010-02-20 19:33

Pre-Run: 108,759,359,488 bytes free
Post-Run: 109,407,977,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 43AFF52E8809B0DB3B7786E805FFA758


Report •

#3
February 20, 2010 at 17:43:48

Please go to Virus Total and upload the following files one at the time for analysis:

c:\windows\Mvata.bin

c:\windows\Npeluqerofi.dat

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button t ohave it chaeked again.

Post the results in your reply.


Report •

Related Solutions

#4
February 21, 2010 at 01:51:44
The first file (Mvata.bin) only gave me this message, even though I tried it several times:

0 bytes size received / Se ha recibido un archivo vacio

------------------------------------------------------

The second file gave me this:

File Npeluqerofi.dat received on 2010.02.21 09:39:21 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.21 -
AhnLab-V3 5.0.0.2 2010.02.20 -
AntiVir 8.2.1.170 2010.02.19 -
Antiy-AVL 2.0.3.7 2010.02.19 -
Authentium 5.2.0.5 2010.02.20 -
Avast 4.8.1351.0 2010.02.21 -
AVG 9.0.0.730 2010.02.21 -
BitDefender 7.2 2010.02.21 -
CAT-QuickHeal 10.00 2010.02.19 -
ClamAV 0.96.0.0-git 2010.02.21 -
Comodo 4010 2010.02.21 -
DrWeb 5.0.1.12222 2010.02.21 -
eSafe 7.0.17.0 2010.02.18 -
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.20 -
F-Secure 9.0.15370.0 2010.02.19 -
Fortinet 4.0.14.0 2010.02.20 -
GData 19 2010.02.21 -
Ikarus T3.1.1.80.0 2010.02.21 -
Jiangmin 13.0.900 2010.02.21 -
K7AntiVirus 7.10.979 2010.02.20 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5898 2010.02.20 -
McAfee+Artemis 5898 2010.02.20 -
McAfee-GW-Edition 6.8.5 2010.02.19 -
Microsoft 1.5406 2010.02.21 -
NOD32 4883 2010.02.20 -
Norman 6.04.08 2010.02.20 -
nProtect 2009.1.8.0 2010.02.20 -
Panda 10.0.2.2 2010.02.20 -
PCTools 7.0.3.5 2010.02.21 -
Prevx 3.0 2010.02.21 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.21 -
Sunbelt 5690 2010.02.20 -
Symantec 20091.2.0.41 2010.02.21 -
TheHacker 6.5.1.5.202 2010.02.21 -
TrendMicro 9.120.0.1004 2010.02.21 -
VBA32 3.12.12.2 2010.02.21 -
ViRobot 2010.2.19.2194 2010.02.19 -
VirusBuster 5.0.27.0 2010.02.20 -
Additional information
File size: 120 bytes
MD5...: 8efeabdeec3de81c3dc42a2801ddf461
SHA1..: 02f1032b36b1546af5815cd03befd0aa5a09b008
SHA256: 643f2d4a4311c9af9f31a361a0e827c1aaa6520328d1374e2ee4a65e6e9a2a37
ssdeep: 3:yxKdWoWgX6USwmaF5ctU0RpukCHeh2XVh:ycFWgX6LVTDUHM2Fh
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#5
February 21, 2010 at 13:15:05
Those appear to be clean.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#6
February 21, 2010 at 16:19:32
BitDefender Online Scanner



Scan report generated at: Sun, Feb 21, 2010 - 15:07:09





Scan path: C:\;D:\;







Statistics

Time
00:48:05

Files
166556

Folders
8851

Boot Sectors
0

Archives
1674

Packed Files
8365




Results

Identified Viruses
3

Infected Files
4

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
4




Engines Info

Virus Definitions
5293437

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Nov 24 2009)

Scan plugins
17

Archive plugins
44

Unpack plugins
8

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\6.0\16\1318a250-6d6a35b1=>mz1/my/CL.class
Infected with: Java.Trojan.Exploit.Bytverify.I

C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\6.0\16\1318a250-6d6a35b1=>mz1/my/CL.class
Disinfection failed

C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\6.0\16\1318a250-6d6a35b1=>mz1/my/CL.class
Deleted

C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\6.0\16\1318a250-6d6a35b1
Updated

C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe.vir
Infected with: Trojan.Fakealert.6670

C:\Qoobox\Quarantine\C\Documents and Settings\David\Local Settings\Application Data\txyloj\jqhjsftav.exe.vir
Deleted

C:\System Volume Information\_restore{BF7B4EE0-1858-4316-B76D-E465B2C887F6}\RP1\A0001062.exe
Infected with: Trojan.Fakealert.6670

C:\System Volume Information\_restore{BF7B4EE0-1858-4316-B76D-E465B2C887F6}\RP1\A0001062.exe
Deleted

C:\WINDOWS\xpxtrx.dll
Infected with: Trojan.Generic.3175743

C:\WINDOWS\xpxtrx.dll
Deleted












Report •

#7
February 21, 2010 at 16:53:42
Looks good little clean-up to do.

Delete Rkill from your desktop.

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#8
February 21, 2010 at 18:17:55
It is back to its normal state. Thank you so much!

Report •

Ask Question