Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: Sebstian on June 13, 2011, 01:24:16 AM

Title: Fake Security Protection Virus
Post by: Sebstian on June 13, 2011, 01:24:16 AM
A Fake Security Protection program started and I was no longer able to open any programs on my computer. Anytime I attempted to open a program the icon on the bottom left of my screen said it was infected with the W32/Blaster.worm. I could not open Task Manager or anything. Right upon start up I received a Dialog Box stating "Error loading \3\DLCXtime.dll. Then the security program started up running a scan saying a bunch of files were infected. Thank you so much for looking into this. This website seems to be very informative and I am very happy I found you guys! Here are the requested logs per your instructions.

What I have done: Ran a full scan on Spybot. It only found two tracking cookies which I can't recall what they were. The last think I remember doing was updated firefox since I have not used that in sometime.

I am running Windows Vista.
-------------------------------------------------------------------------------
Results of screen317's Security Check version 0.99.13  
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8  
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!  
Norton AntiVirus    
Norton Internet Security (Symantec Corporation)  
Norton Internet Security    
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
MVPS Hosts File  
Spybot - Search & Destroy
Java(TM) SE Runtime Environment 6
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player    10.0.12.36  
Adobe Reader 8.1.5
Out of date Adobe Reader installed!
Mozilla Firefox (3.0.6) Firefox Out of Date!  
````````````````````````````````
Process Check:  
objlist.exe by Laurent
``````````End of Log````````````
------------------------------------------------------------------------------
.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19048
Run by The Garcia at 17:53:32 on 2011-06-12
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.1.1033.18.2022.1429 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Security Protection] c:\programdata\defender.exe
mRun: [OEM07Mon.exe] c:\windows\OEM07Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [DLCXCATS] rundll32 \3\DLCXtime.dll,_RunDLLEntry@16
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{55C8EE4C-9F69-46E6-AC82-97253DBE1994} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{5C7A113B-D8AF-4078-A364-9B9B0472C2CE} : DhcpNameServer = 192.168.2.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\the garcia\appdata\roaming\mozilla\firefox\profiles\p86y9o1v.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\users\the garcia\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\the garcia\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {2C21CF44-DA74-4A66-B649-C18943E25356} - c:\users\the garcia\appdata\local\{2C21CF44-DA74-4A66-B649-C18943E25356}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\drivers\DLACPI.sys [2008-10-16 14656]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-10-16 5632]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20091110.002\IDSvix86.sys [2009-11-12 272432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-3 21504]
S2 gupdate1c9a44f9c7c1900;Google Update Service (gupdate1c9a44f9c7c1900);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]
S2 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2007-6-27 157912]
S2 NMSCore;Intel(R) NMSCore;c:\program files\common files\intel\inteldh\nms\nmscore\NMSCore.exe [2007-6-27 317656]
S2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-18 5376]
S2 QualityManager;Intel(R) Quality Manager;c:\program files\intel\inteldh\intel media server\media server\bin\QualityManager.exe [2007-6-27 272600]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2009-3-19 83240]
S3 CXSONORA;AVerMedia 23885 AvStream Video Capture;c:\windows\system32\drivers\A885VCap.sys [2008-10-16 733824]
S3 DHTRACE;Intel(R) DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-6-27 39640]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-16 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]
S3 OEM07Vfx;Creative Camera OEM007 Video VFX Driver;c:\windows\system32\drivers\OEM07Vfx.sys [2008-10-16 7424]
S3 OEM07Vid;Creative Camera OEM007 Driver;c:\windows\system32\drivers\OEM07Vid.sys [2008-10-16 235552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-12-4 1251720]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
SUnknown CDAVFS;CDAVFS;
Title: Re: Fake Security Protection Virus
Post by: Corrine on June 13, 2011, 01:52:46 AM
Hi, Sebstian.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.  

If you have questions regarding any of the instructions or problems running any tools, please let us know.

This rogue is often bundled with the TDSS rootkit infection.  If you are unable to download TDSSKiller in normal mode, please try safe mode with networking:

To restart your computer in Safe Mode with Networking, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.  

Please download the TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) by Kaspersky... save it to your Desktop. <-Important!!!
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Note:  If you are unable to run MBAM, download rkill from one of the following links and save to your Desktop:

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)
Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.
Title: Re: Fake Security Protection Virus
Post by: Sebstian on June 13, 2011, 02:27:14 AM
I am able to log on normally and so far it seems to be back to normal. Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6845

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19048

6/12/2011 7:20:33 PM
mbam-log-2011-06-12 (19-20-33).txt

Scan type: Quick scan
Objects scanned: 191318
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4758CBF-B916-ECFB-EC7C-2C0428BC62D6} (Adware.AdRotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\Zango 10.3.79.0 (Adware.Zango) -> Value: Zango 10.3.79.0 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\0.6944212985124077.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npclntax_zangosa.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\Users\the garcia\AppData\Local\Temp\8145.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\the garcia\AppData\Local\Temp\8BEF.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\the garcia\AppData\Local\Temp\jar_cache25663.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\the garcia\AppData\Local\Temp\jar_cache25665.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\System32\ljbhupyrssbncgygj.dll-uninst.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
Title: Re: Fake Security Protection Virus
Post by: Corrine on June 13, 2011, 03:11:05 PM
Hi, Sebstian.

Did you run TDSSKiller?

Note that the trojan on your computer is a backdoor, password stealer.  I strongly advise you to change passwords, particularly for online banking and similar sites.

Why do you have UAC disabled?   

SecurityCheck indicated that the Windows Security Center service may not be running.  Are you able to get security updates via Windows Update?

You have outdated, vulnerable versions of Java and Adobe products on your computer. 

Please go to add/remove programs and uninstall Java(TM) SE Runtime Environment 6.  Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

Then download and install Java SE Runtime Environment 6u26 (http://java.com/en/download/manual.jsp).

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Adobe Flash Player needs to be updated for both IE and alternate browsers.

Direct download for IE:  http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe (http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe)
Direct Download for non-IE (Opera, Firefox etc): http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe (http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe)

After install, verify Flash Player version for each browser installed at About Flash Player page (http://www.adobe.com/products/flash/about/).

Update Adobe Reader to the current version, http://get.adobe.com/reader/

You indicated in your initial post that you had updated Firefox.   However, the version shown in your log is Mozilla Firefox 3.0.6 which is severely out of date.  If you no longer use Firefox, I suggest you uninstall it.  Otherwise, update to the current version.

Please let me know if you have any questions.
Title: Re: Fake Security Protection Virus
Post by: Sebstian on June 15, 2011, 02:12:48 AM
I did run TDSSKiller and it came up empty.
I am in the process of changing all of my passwords now.
I am not sure why or how UAC was dissable. I have enabled now.
I checked the Windows Security Center in my control panel and it was on and I was receiving security updates. I went ahead an updated them what it was suggesting to update.
I updated everything you suggested in the previous post. My computer is running 1000% better. Is there anything else I can do?

Also, what do you feel about spybot? Is there another spyware program I should be running?

Thank you so much for all the help you provided. I was really nervous I screwed up my computer pretty bad!
Title: Re: Fake Security Protection Virus
Post by: Corrine on June 15, 2011, 02:50:10 PM
Hi, Sebstian.

Thank you for answering my questions.  I suspect that the malware disabled UAC and am glad all is well now.  Although I don't personally use Spybot, it is a good program. 

My additional recommendations --

To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following: Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.
Title: Re: Fake Security Protection Virus
Post by: Sebstian on June 18, 2011, 05:09:21 AM
Corrine,

I will download those program you suggested. Thank you! So far so good. However, I got on my machine tonight and opened the task manager and my CPU usage is hovering at 50% which seems high to me. I will run scans with the programs you suggested and see what happened.

Now you previously mentioned there should only by only one security software. Should I have SpywareBlaster and WinPatrol on my system. And should I run the Anti-Malware program you had me download on a consistent basis. I was not being proactive in preventing these attacks and I would like to be now.

Thanks you for helping and putting up with my questions.
Title: Re: Fake Security Protection Virus
Post by: Corrine on June 18, 2011, 06:44:11 PM
Good questions, Sebstian.  The one security program I was referring to is only one antivirus software, one software firewall and and one "real-time" protection program. Having two of any of the above can result in not only high system usage but, more importantly, system conflicts.

It wouldn't hurt to update and scan with MBAM at least weekly.

Spyware Blaster and WinPatrol perform different functions.  Spyware Blaster needs to be updated periodically.  I would advise checking for updates at least every few weeks.  The program will help do the following:

--    Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
--    Block spying / tracking via cookies.
--    Restrict the actions of potentially unwanted or dangerous web sites.

WinPatrol, on the other hand, will provide an alert if a program attempts to add itself to start-up.  In addition to using WinPatrol for removing programs from start-up, you can also add programs to "delayed start" so your computer will be usable faster after starting.  It has many other features as well, included int he link provided above.

Should you have additional questions about WinPatrol, we just launched the WinPatrol Help & Information (http://www.landzdown.com/index.php/board,40.0.html) forum here at LandzDown.
Title: Re: Fake Security Protection Virus
Post by: Sebstian on June 19, 2011, 02:27:48 AM
Last questions!  :D

So the Spyware Blaster would be considered my real time protection service, right? I would this instead of Spybot?

Regarding Firewalls. I have the firewall enables on Microsoft Security. I also have a firewall on my wireless router. Is there one I should choose over the other or are all firewalls the same? As long as you have one enabled.
Title: Re: Fake Security Protection Virus
Post by: Corrine on June 19, 2011, 01:28:06 PM
Hi, Sebstian.  Spyware Blaster would be considered a supplement to Spybot. 

Real-time protection would be if you used Windows Defender with the Norton Security Suite's real-time protection.
Text only | Text with Images