Author Topic: sigh another fake antivirus (Read 4888 times)

invAZN · « **on:** August 23, 2008, 10:44:18 PM »

thanks

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #1 on:** August 23, 2008, 11:41:11 PM »

You are going to have to install some antivirus before we continue. It is pointless to try and remove any malware (and there is a lot left) without having the proper protection.

First:

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer to register the changes made by HijackThis.

----------

Now install a FREE antivirus.

Remember to only install one antivirus!

1) Avast! Home Free Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Comodo Antivirus
5) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please run a new HijackThis scan and post the log.

invAZN · « **Reply #2 on:** August 24, 2008, 08:31:16 AM »

i already have a anti virus, its sympatico security manager
heres another log

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #3 on:** August 24, 2008, 10:02:30 AM »

To be quite honest I would consider another antivirus solution. There are free ones which offer much better protection then the one you have now. It's not just your PC at risk but your personal information as well.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

invAZN · « **Reply #4 on:** August 24, 2008, 11:13:02 AM »

wow thanks

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #5 on:** August 24, 2008, 11:38:59 AM »

That cleared a lot but there is still plenty left.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

invAZN · « **Reply #6 on:** August 24, 2008, 01:54:22 PM »

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #7 on:** August 24, 2008, 02:06:18 PM »

Disable Windows Defender

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender
Click on Tools, General Settings
Scroll down and uncheck Turn on real-time protection (recommended)
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {3CBB991F-3696-48D8-AC44-ED511EAEB4BC} - C:\WINDOWS\system32\xxyyaayW.dll
- O2 - BHO: D - {B00E6E6D-C2B1-3A27-BA27-7F01DC55C412} - C:\WINDOWS\kx48657.dll
- O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
- O20 - AppInit_DLLs: uaevax.dll hxnekn.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\system32\xxyyaayW.dll
C:\WINDOWS\kx48657.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CBB991F-3696-48D8-AC44-ED511EAEB4BC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B00E6E6D-C2B1-3A27-BA27-7F01DC55C412}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

invAZN · « **Reply #8 on:** August 24, 2008, 08:16:43 PM »

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #9 on:** August 24, 2008, 08:51:17 PM »

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

How is everything now?

Computer Hope Forum

News: