Help with Windows Security Alert virus

[JeepMan]

I am having trouble opening any files, especially .exe files or update my virus protection, etc. Please help!

SuperDave, you commented on a similar problem a while back, post titled:  Application cannot be executed. The file *** is infected. on: November 16, 2009, 09:44:38 AM

I am reluctant to follow suggestions without expert advice.... Thanks in advance!

[Dr Jay]

Hello.

RKill by Grinler
Link #1
Link #2
Link #3

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
• If the tool does not run from any of the links tell me about it.

This only kills the active infection, the actual infection will not be gone.

==============

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[JeepMan]

DragonMaster Jay,

Link#1 is no longer a valid page. Therefore, I downloaded Link 2 but it would not run, same for Link 3. I have them saved on my desktop but when I dbl click the icon a black window opens for one second then closes, after which I get a Security Warning window that reads: Application cannot be executed. the file rkill(2).com is infected. Do you want to activate your antivirus software now?

I figured that I should shut down my virus protection so I can download and run the links but everytime I try to access the add or remove programs it is shut down automatically.

Hope you can help, thanks.

[Dr Jay]

Please try this:

• Start Task Manager (Ctrl+Alt+Delete)
• Then find the following two processes:

                             av.exe
                             ave.exe

• Once found, right-click on each of them and select End Process
  
  
• Once done. Then, try the tools again.

[JeepMan]

When I ctrl alt delete it brings up the window with Task Manager tab but when I click the tab it is automatically closed and a warning "Windows Security alter" appears. The virus will not allow me to open or run task manager.

[Dr Jay]

Let's try to run ComboFix in a different mode.

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[JeepMan]

DragonMaster Jay, here is the post. I started the system in safe mode and first ran the rkill program, which seemed to work. After that I ran the ComboFix and here is the log:

ComboFix 10-04-21.01 - ppratt 04/24/2010  17:00:00.1.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.677 [GMT -4:00]
Running from: c:\documents and settings\Cressida Silvers\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
c:\windows\asam.exe
c:\windows\eSellerateEngine.dll
c:\windows\herjek.config

.
(((((((((((((((((((((((((   Files Created from 2010-03-24 to 2010-04-24  )))))))))))))))))))))))))))))))
.

2010-04-23 17:43 . 2010-04-23 17:43   61184   ----a-w-   c:\documents and settings\Cressida Silvers\Local Settings\Application Data\syssvc.exe
2010-04-23 17:41 . 2010-04-24 21:04   --------   d-----w-   c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf
2010-04-10 23:51 . 2010-04-10 23:51   --------   d-----w-   c:\program files\WindSolutions
2010-04-10 23:51 . 2010-04-10 23:54   --------   d-----w-   c:\documents and settings\Cressida Silvers\Application Data\WindSolutions
2010-04-10 23:51 . 2010-04-10 23:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\WindSolutions

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 20:33 . 2008-07-18 16:05   --------   d-----w-   c:\program files\Symantec AntiVirus
2010-04-22 16:39 . 2010-01-05 21:10   40252   ---ha-w-   c:\windows\system32\mlfcache.dat
2010-04-16 00:19 . 2005-10-20 14:25   --------   d-----w-   c:\program files\Mozilla Thunderbird
2010-03-25 18:14 . 2005-04-22 19:08   46800   ----a-w-   c:\documents and settings\Cressida Silvers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2005-06-22 17:52   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2005-06-22 17:52   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-06-22 17:49   455680   ------w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47   3604480   ----a-w-   c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-03 23:18   2146304   ------w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59   2024448   ------w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-06-22 17:46   100864   ------w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-06-22 17:51   226880   ------w-   c:\windows\system32\drivers\tcpip6.sys
2010-02-09 19:57 . 2010-02-09 19:57   45056   ----a-w-   c:\documents and settings\Cressida Silvers\Application Data\Sun\Java\Deployment\cache\javaws\http\Dqedoc.net\P80\DMqqp\RNlibraries.jar\jniwrap.dll
2005-07-01 15:55 . 2005-07-01 15:55   2649   ----a-w-   c:\program files\Psyllids at Andytown update.eml
2004-05-19 13:51 . 2006-08-31 17:41   10339   ----a-w-   c:\program files\sas91_859417.txt
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-19 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-12-17 1241138]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"HP SchedIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-01-03 94208]
"HP AutoIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-01-03 90112]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-08 125368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-05-20 244208]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2008-04-07 113136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

c:\documents and settings\ppratt\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\Cressida Silvers\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-7-7 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-30 113664]
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2005-6-28 204800]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"filteradministratortoken"= 1 (0x1)
"ReportControllerMissing"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 0 (0x0)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gateway\\HPA\\GWMenu.exe"=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Client\\retroclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [3/20/2006 10:39 AM 61440]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [5/20/2008 9:15 AM 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [5/20/2008 9:13 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [5/20/2008 9:13 AM 166384]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/15/2009 1:31 PM 17149]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/13/2009 11:54 AM 101936]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [5/20/2008 9:15 AM 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [5/20/2008 9:12 AM 1120752]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [8/15/2009 1:31 PM 384608]
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-861567501-682003330-1003Core.job
- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-19 22:41]

2010-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-861567501-682003330-1003UA.job
- c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-19 22:41]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Cressida Silvers\Application Data\Mozilla\Firefox\Profiles\w1zfhx73.Default User 2\
FF - prefs.js: browser.startup.homepage - hxxp://cnn.com
FF - plugin: c:\documents and settings\Cressida Silvers\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Cressida Silvers\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJinit13117.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-chwgonkc - c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
HKCU-Run-asam - c:\windows\asam.exe
HKLM-Run-chwgonkc - c:\documents and settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe
HKLM-Run-asam - c:\windows\asam.exe
AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-24  17:10:19
ComboFix-quarantined-files.txt  2010-04-24 21:10

Pre-Run: 8,021,364,736 bytes free
Post-Run: 12,825,636,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EB5129E6AA2056EE64DF83BE96E018F7

[Dr Jay]

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

[JeepMan]

DragonMaster Jay, here is the log from the Malwarebytes program:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4036

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/26/2010 6:42:51 AM
mbam-log-2010-04-26 (06-42-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 323637
Time elapsed: 1 hour(s), 59 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Cressida Silvers\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Cressida Silvers\Local Settings\Application Data\hmsnddgyf\vixqnsftssd.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\asam.exe.vir (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

[Dr Jay]

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic