Fake Antivirus Virus Help Please Thanks =D

[invAZN]

Ok so i got hijackthis and superantispyware logs

Thanks

by the way is the Antivirus XP 2008 virus

[recovering disk space -- attachment deleted by admin]

[Broni]

You need to run Malwarebytes, post its log, and then, fresh HJT log.

[invAZN]

ok Malwarebyte log and fresh HJT log



[recovering disk space -- attachment deleted by admin]

[Broni]

You're running Sympatico Security Advisor, which I believe comes from Bell, includes antivirus, and a firewall, and I see some Norton leftovers.
What's the story behind this?

[invAZN]

what do u mean by that

my mom clicked on a fake antivirus wich is named XP antivirus 2008
i believe i got it removed
but i just wana double check

[Broni]

Let me rephrase....Is Sympatico Security Advisor your current antivirus, and firewall?

[invAZN]

yes

[Broni]

Very well. Let me proceed with your logs.

[Broni]

Download, and run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
Post new HJT log.

[invAZN]

ok

[recovering disk space -- attachment deleted by admin]

[Broni]

*** You need to update Java:
http://java.sun.com/javase/downloads/index.jsp
Java Runtime Environment (JRE) 6 Update 7
Uninstall all previous versions of Java through Add\Remove.

*** Download, and run  CTFMON-Remover: http://www.gerhard-schlager.at/en/projects/ctfmonremover/
The CTFMON-Remover helps you removing the annoying CTFMON.EXE from your Windows operating system. The program is easy to use and displays whether the CTFMON.EXE is installed and running or not. If it was found then you can remove it within seconds. Just in case that you need the CTFMON sometime in the future there is also an option to restore the original one.
Note:The CTFMON.EXE is among other things responsible for changing the language schema of your keyboard (e.g. for switching between the German and English keyboard layout). So in case you are using this feature you shouldn't remove or disable the CTFMON.EXE!

*** Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

*** Disable Windows Defender, as it'll interfere with cleaning process:
   * Open Windows Defender
    * Click Tools
    * Click General Settings
    * Scroll down to Real Time Protection Options
    * Uncheck Turn on Real Time Protection
    * After you uncheck this, click on the Save button
    * Close Windows Defender

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases [marked with *], no actual program will be removed):

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- *O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
- *O4 - HKLM\..\Run: [DISCover] "C:\Program Files\DISC\DISCover.exe"
- *O4 - HKLM\..\Run: [DiscUpdateManager] "C:\Program Files\DISC\DiscUpdateMgr.exe"
- *O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- *O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- O4 - HKLM\..\Run: [SMrhc5v5j0e14r] C:\Program Files\rhc5v5j0e14r\rhc5v5j0e14r.exe
- *O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
- *O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
- *O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
- O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
- *O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


4. Click on Fix checked button.

5. Restart computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

- rhc5v5j0e14r folder from C:\Program Files

8. Restart in Normal Mode.

9. Post new HijackThis log.

[invAZN]

 



[recovering disk space -- attachment deleted by admin]

[Broni]

Your computer is clean

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Download, and install McAfee SiteAdvisor: http://www.siteadvisor.com/download/ff.html. It'll warn you (in most cases) about dangerous web sites.

6. (optional) Download, and install free version of ThreatFire: http://www.threatfire.com/. It'll give you an extra protection against malwares. It won't interfere with your antivirus program

7. Read "So how did I get infected in the first place?": http://www.castlecops.com/postlite7736-.html

8. Let me know, how your computer is doing.

[Jtquad]

Is this the annoying popup with the red circle and the X saying windows has detected spyware infection? If so this is what i have and will follow the list above if someone can review the logs - JT

[evilfantasy]

Jtquad it is not advised to use someone elses thread for reference.

Start here and post the logs in your own thread when complete, not this one.