Return to the Computer Help Forum | Post a Follow-Up

 o
Computer security hi-jacked - WARNING!!

Posted by debi_2006 (My Page) on
Tue, Jun 12, 12 at 13:26

The culprit is fake security called WINDOWS INSTANT SCANNER. This thing just showed up out of nowhere on my work laptop (Gateway, Vista). It pops up "detected" security messages to get you to buy the program in order to remove all the infected files/programs. It just shut off Windows Essential Security and I can't do anything. Luckily, I just ran SuperAnti Spyware last week which updated itself at that time, so I'm running that now to find the crap and get it gone!!! I switched my laptop Internet connection to OFF hoping that helps this thing to not access my sh*t while I try to get control of computer again. Upon research, I probably should have rebooted in Safe mode to run the anti spyware, but too much time has passed since the start of running it, that I don't want to start over, unless someone thinks it's wise to do. It usually takes 2 hours and I'm already 50 minutes into it.

Upon using my slow desktop to type this and check to see just what this Windows Instant Scanner is, I found it is nothing to play around with. The way it looks is much like the authentic Windows Security alerts, so to someone who's not so 'puter savvy, I can see how they might click on the "Activate It" and purchase it to get rid of this thing. One of the detected messages states there is a keylogger on my computer. Upon research, it's one of the many alerts this program shows to force you to buy it.

Just warning everyone out that that it can suddenly appear and take over your anti-virus. Anyone heard or experienced it yet? I'll let you know how I make out with the SuperAnti Spyware removal, but if anyone has other "clean up" ideas, I'm all ears.


Follow-Up Postings:

 o
RE: Computer security hi-jacked - WARNING!!

I would also run Malwarebytes in addition to SAS. Be sure to update before running the scan. Also an online AV scanner might be a good idea, too, since your MSE has been shut off. I don't have a link for one of these, but maybe RC or Owbist or someone else can give you a link. If you're not able to clean it up by yourself, or even to make double sure it's gone, a visit to Lanzdown wouldn't be a bad idea.


 o
RE: Computer security hi-jacked - WARNING!!

SuperAnti Spyware found the virus and deleted all the files, but when I rebooted, it was still there. Uggg.


 o
RE: Computer security hi-jacked - WARNING!!

Then assure yourself that Superantispyware is up to date and run a FULL scan from Safe mode. Tap F8 at startup and select to start in safe mode.

Might pay to install and run a full scan with Malwarebytes as Grandms suggests but not in safe mode.

This seems to be scarware and so far I see no recogniseable sites offering a fix as the pest seems to have arrived just today. Not to say the sites listing it are bad but I do not recognise them, nuff said.

Failing the above I would download the Kaspersky Rescue CD files, burn them to a CD as an .iso and use it to restart your computer assuming your machine is set to seek the CD/DVD player as the first startup option. Then follow the instructions.


 o
RE: Computer security hi-jacked - WARNING!!

Yes, when I ran the Superantispyware, it was up to date when it ran. I've been running an updated Malwarebytes for the last hour in safe mode (started well before you saw your post Owbist). It has only found 2 detected objects so far which is odd since there were 1596 with Superantispy.

Wondering if a system restore to an earlier time is an easy fix or will fix it at all?


 o
RE: Computer security hi-jacked - WARNING!!

Update: Just after posting the above message, Malwarebytes finished it's full scan in Safe Mode and deleted the culprit. When I rebooted, MSE was back to working and everything appears to fine from what I can tell.

If there is anything else I need to do to ensure that nasty virus is gone, let me know.

Thanks.


 o
RE: Computer security hi-jacked - WARNING!!

DDS is a program that will scan your computer and create logs that can be used to display various startup, configuration, and file information from your computer.

The program will also display information about the computer that will allow us to quickly ascertain whether or not malware may be running on your computer.

To use DDS, simply download the executable and save it to your desktop or other location on your computer. You should then double-click on the DDS.scr icon to launch the program. DDS will then start to scan your computer and compile the information found into two log files. When DDS has finished it will launch the two Notepad windows that display the contents of these log files. The contents of these log files can then be attached to a reply.

See link for download

http://download.bleepingcomputer.com/sUBs/dds.scr

Here is a link that might be useful: dds


 o
RE: Computer security hi-jacked - WARNING!!

Zep, both the link and http opens up my pictures folder.


 o
RE: Computer security hi-jacked - WARNING!!

Pretty odd indeed both links work for me, so there's nothing wrong with them. They open a small box right here on this website and you click save file, save it to the desktop. Anyway let me get another link for you. There will be 2 logs produced please post them both, I will look at it if I see an issue we need to send you to Lndz.

Here is a link that might be useful: download/dds


 o
RE: Computer security hi-jacked - WARNING!!

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by DK at 18:12:58 on 2012-06-12
Microsoft� Windows Vista� Home Premium 6.0.6002.2.1252.1.1033.18.3062.1241 [GMT -4:00]
. AV: Microsoft Security Essentials *Enabled/Updated* (9765EA51-0D3C-7DFB-6091-10E4E1F341F6)
SP: Windows Defender *Disabled/Updated* (D68DDC3A-831F-4fae-9E44-DA132C1ACF46)
SP: Microsoft Security Essentials *Enabled/Updated* (2C040BB5-2B06-7275-5A21-2B969A740B4B)
. ============== Running Processes ===============
. C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\DK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
. ============== Pseudo HJT Report ===============
. uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: (18df081c-e8ad-4283-a596-fa578c2ebdc3) - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: (53707962-6f74-2d53-2644-206d7942484f) - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: (72853161-30c5-4d22-b7f9-0bbc1d38a37e) - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: (761497bb-d6f0-462c-b6eb-d4daf1d92d43) - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: (b4f3a835-0e21-4959-ba22-42b3008e02ff) - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: (dbc80044-a445-435b-bc74-9c25c1c588a9) - c:\program files\java\jre6\bin\jp2ssv.dll
TB: (7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA) - No File
TB: (2318C2B1-4965-11D4-9B18-009027A5CD4F) - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: (2670000A-7350-4f3c-8081-5663EE0C6C49) - (48E73304-E1D6-4330-914C-F5F514E3486C) - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: (789FE86F-6FC4-46A1-9849-EDE0DB0C95CA) - (FFFDC614-B694-4AE6-AB38-5D6374584B52) - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: (8AD9C840-044E-11D1-B3E9-00805F499D93) - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: (CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA) - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: (CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA) - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: (E2883E8F-472F-4FB0-9522-AC9BF37916A7) - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\(331C4984-7B67-4895-92BF-FBD07719C629) : DhcpNameServer = 192.168.1.1 71.242.0.12
Filter: text/xml - (807573E5-5146-11D5-A672-00B0D022E945) - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-help-qb5 - (867FCB77-9823-4cd6-8210-D85F968D466F) - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - (FC598A64-626C-4447-85B8-53150405FD57) - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: (b5a7f190-dda6-4420-b3ba-52453494e6cd) - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: (5ae067d3-9afb-48e0-853a-ebb7f4a000da) - c:\program files\superantispyware\SASSEH.DLL
. ============= SERVICES / DRIVERS ===============
. R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-5-4 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2011-7-1 290832]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-8-19 1248256]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-10 4640000]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2011-6-14 281088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-18 257696]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
. =============== Created Last 30 ================
. 2012-06-12 20:05:54 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\(c63b0218-fda0-4f49-a66a-fbbac2d29431)\offreg.dll
2012-06-12 14:38:15 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2012-06-12 14:38:15 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\(94e954c4-9303-4459-aace-f4d82ef5da4b)\gapaengine.dll
2012-06-12 14:36:16 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\(c63b0218-fda0-4f49-a66a-fbbac2d29431)\mpengine.dll
2012-06-12 01:09:54 6737808 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-16 22:05:38 677136 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
. ==================== Find3M ====================
. 2012-05-04 17:57:10 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 17:57:09 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-02 13:36:21 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 12:39:11 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39:19 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-03-25 17:34:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 00:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
. ============= FINISH: 18:13:49.82 ===============

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
. DDS (Ver_2011-08-26.01)
. Microsoft� Windows Vista� Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 6/14/2011 9:30:53 PM
System Uptime: 6/12/2012 4:29:45 PM (2 hours ago)
. Motherboard: Gateway : :
Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz : U2E1 : 1333/mhz
. ==== Disk Partitions =========================
. C: is FIXED (NTFS) - 298 GiB total, 207.691 GiB free.
D: is CDROM ()
E: is Removable
. ==== Disabled Device Manager Items =============
. ==== System Restore Points ===================
. RP405: 5/23/2012 11:07:30 AM - Windows Update
RP406: 5/24/2012 1:57:24 PM - Windows Update
RP407: 5/25/2012 5:02:37 PM - Windows Update
RP408: 5/26/2012 5:59:33 PM - Windows Update
RP409: 5/27/2012 6:32:30 PM - Windows Update
RP410: 5/28/2012 7:53:40 PM - Windows Update
RP411: 5/29/2012 11:27:49 AM - Windows Update
RP412: 5/30/2012 12:05:57 PM - Windows Update
RP413: 5/31/2012 12:35:48 PM - Windows Update
RP414: 6/1/2012 5:13:40 PM - Windows Update
RP415: 6/2/2012 10:49:47 AM - Windows Update
RP416: 6/3/2012 6:47:47 PM - Windows Update
RP417: 6/4/2012 11:25:04 AM - Windows Update
RP418: 6/4/2012 10:49:10 PM - Windows Update
RP419: 6/5/2012 4:54:34 PM - Windows Update
RP420: 6/6/2012 9:34:37 AM - Scheduled Checkpoint
RP421: 6/6/2012 11:11:02 AM - Windows Update
RP422: 6/7/2012 10:32:10 AM - Scheduled Checkpoint
RP423: 6/7/2012 12:15:48 PM - Windows Update
RP425: 6/7/2012 10:23:25 PM - Microsoft Antimalware Checkpoint
RP426: 6/8/2012 4:39:47 PM - Windows Update
RP427: 6/9/2012 4:43:40 PM - Windows Update
RP428: 6/10/2012 7:42:19 PM - Windows Update
RP429: 6/11/2012 9:08:02 PM - Windows Update
RP430: 6/12/2012 10:34:30 AM - Windows Update
RP432: 6/12/2012 11:29:23 AM - Microsoft Antimalware Checkpoint
RP433: 6/12/2012 5:35:38 PM - Windows Backup
. ==== Installed Programs ======================
. Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 11 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader X (10.1.3)
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Brother MFL-Pro Suite MFC-490CW
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IHA_MessageCenter
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 31
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.1
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
PaperPort Image Printer
PDF-XChange Viewer
PDF Settings
PHOTOfunSTUDIO 5.0
QuickBooks
QuickBooks Pro 2012
REALTEK RTL8187SE Wireless LAN Driver
REALTEK USB Wireless LAN Driver
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
ScanSoft PaperPort 11
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Spybot - Search & Destroy 1.4
SUPERAntiSpyware
SupportSoft Assisted Service
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Vz In Home Agent
WhoCrashed 3.04
WinRAR 4.01 (32-bit)
Works Suite OS Pack
Works Synchronization
. ==== Event Viewer Messages From Past Week ========
. 6/6/2012 11:19:35 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document CMO signed.pdf, owned by EC, failed to print on printer Brother MFC-490CW Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 4007636. Number of bytes printed: 3175820. Total number of pages in the document: 3. Number of pages printed: 0. Client computer: \\DK-PC. Win32 error code returned by the print processor: 87. The parameter is incorrect.
6/12/2012 3:48:39 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/12/2012 2:45:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: (E60687F7-01A1-40AA-86AC-DB1CBF673334)
6/12/2012 2:25:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: (145B4335-FE2A-4927-A040-7C35AD3180EF)
6/12/2012 2:20:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter SASDIFSV SASKUTIL spldr Wanarpv6
6/12/2012 2:20:45 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/12/2012 2:19:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: (9E175B6D-F52A-11D8-B9A5-505054503030)
6/12/2012 2:19:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: (1BE1F766-5536-11D1-B726-00C04FB926AF)
6/12/2012 2:19:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: (DD522ACC-F821-461A-A407-50B198B896DC)
. ==== End Of File ===========================


 o
RE: Computer security hi-jacked - WARNING!!

Looks good, clean computer. Lets check for any left overs with Malwarebytes,

Please download Malwarebytes' Anti-Malware to your desktop click Here
Double Click mbam-setup.exe to install the application.
�Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
�If an update is found, it will download and install the latest version.
�Once the program has loaded, select "Quick Scan", then click Scan
�The scan may take some time to finish,so please be patient.
�When the scan is complete, click OK, then Show Results to view the results.
�Make sure that everything is checked, and click Remove Selected.
�When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
�The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
�Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


 o
RE: Computer security hi-jacked - WARNING!!

I ran Maywarebytes in safe mode and that's what got rid of the virus (see posts above). Do you want me to run it again?

Also, the logs I posted are safe, meaning, from that info, people can't learn anything about me or my IP or anything else, right? My quick glance didn't show anything. Just checking.


 o
RE: Computer security hi-jacked - WARNING!!

No don't run Malwarebytes again, those logs you posted are safe. I'd like to see the Malwarebytes log.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. I want to see what it removed, and what it fixed.

Joe


 o
RE: Computer security hi-jacked - WARNING!!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.12.08

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
DK :: DK-PC [administrator]

6/12/2012 2:32:15 PM
mbam-log-2012-06-12 (14-32-15).txt

Scan type: Full scan
Scan options enabled: Memory : Startup : Registry : File System : Heuristics/Extra : Heuristics/Shuriken : PUP : PUM
Scan options disabled: P2P
Objects scanned: 484369
Time elapsed: 1 hour(s), 13 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:Inspector (Rogue.FakeAV) -> Data: C:\Users\DK\AppData\Roaming\Protector-jivo.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\DK\AppData\Roaming\Protector-jivo.exe (Rogue.FakeAV) -> Quarantined and deleted successfully.

(end)


 o
RE: Computer security hi-jacked - WARNING!!

I expected more then that maybe not though. When you get time would your run the Malwarebytes scan in regular Normal mode just to be sure and see if it finds anything. If it does post the log. If it does not find anything then no need to post log just tell me the log is clean or does not show anything.

How is the computer running?


 o
RE: Computer security hi-jacked - WARNING!!

Computer is running great, fast. No problems at all.


 o
RE: Computer security hi-jacked - WARNING!!

Good! I guess the Rogue.FakeAV) didn't get time to call all it's friends to the party. Run the Malwarebytes scan. You should be good to go!


 o
RE: Computer security hi-jacked - WARNING!!

LOL, I agree - no party here, at least that kind anyway.

I just ran a quick scan of Malwarebytes and all was clean. I'll run another complete scan tomorrow morning. I'll post with the outcome.

Thanks for your help, Mike. It's nice knowing there are helpful people like you out there.


 o
RE: Computer security hi-jacked - WARNING!!

Thanks to grandms and Owists as well. Don't want to forget anyone that helped/gave suggestions. Much appreciated.


 o Post a Follow-Up

Please Note: Only registered members are able to post messages to this forum.

    If you are a member, please log in.

    If you aren't yet a member, join now!


Return to the Computer Help Forum

Information about Posting

  • You must be logged in to post a message. Once you are logged in, a posting window will appear at the bottom of the messages. If you are not a member, please register for an account.
  • Please review our Rules of Play before posting.
  • Posting is a two-step process. Once you have composed your message, you will be taken to the preview page. You will then have a chance to review your post, make changes and upload photos.
  • After posting your message, you may need to refresh the forum page in order to see it.
  • Before posting copyrighted material, please read about Copyright and Fair Use.
  • We have a strict no-advertising policy!
  • If you would like to practice posting or uploading photos, please visit our Test forum.
  • If you need assistance, please Contact Us and we will be happy to help.


Learn more about in-text links on this page here