Jump to content

Recommended Posts

I was watching a movie online and then all hell broke loose. This XP Antivirus 2012 popped up and I can't get rid of it. It won't let me pull up my malwarebytes anti malware, it keeps taking me to Internet explorer to register it and it took over my AV and firewall. I am at a loss. Can someone help me?

Link to post
Share on other sites

Welcome to the forum.

See if following this guide works and also check Here

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

The link below explains how to rename MBAM if needed:

http://forums.malwarebytes.org/index.php?showtopic=55485&view=findpost&p=274963

Post the logs back here, Good Luck....MrC

Link to post
Share on other sites

Here is the problem with that, the majority of things I try to run ask me to open with:

but I did get a couple of things running with no problem, but you will see what happened to rkill.

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 11/30/2011 at 12:09:06.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 11/30/2011 at 12:09:06.

Rkill completed on 11/30/2011 at 12:09:58.

--------------------------------------------------------------------------------------------------------------------

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 11/30/2011 at 12:09:06.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 11/30/2011 at 12:09:06.

---------------------------------------------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Administrator at 12:06:49 on 2011-11-30

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [cdloader] "c:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [sticky-Notes] c:\program files\sticky-notes\stickynotes.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [2876587268] c:\documents and settings\administrator\local settings\application data\stw.exe

uRun: [Privacy Protection] c:\documents and settings\all users\application data\privacy.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\rtl8185 wireless lan utility\RtWLan.exe

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

mPolicies-explorer: StartMenuFavorites = 0 (0x0)

mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)

mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)

mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)

mPolicies-explorer: Start_ShowRun = 1 (0x1)

mPolicies-explorer: Start_ShowSearch = 0 (0x0)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.10.1

TCP: Interfaces\{607C3099-A9BC-4124-BF82-989DC656873E} : DhcpNameServer = 192.168.10.1

TCP: Interfaces\{C8594847-B134-4B4A-BBC6-B0944B6665CC} : DhcpNameServer = 192.168.10.1

TCP: Interfaces\{D6CFEB61-9D9F-456D-B940-7AD3FBC6CA95} : DhcpNameServer = 68.87.77.134 68.87.72.134

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\prio.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\t4to0dog.default\

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2011-11-30 01:06:58 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-11-30 01:06:58 -------- d-----w- c:\program files\Trend Micro

2011-11-29 19:30:26 -------- d-----w- c:\documents and settings\administrator\application data\Panda Security

2011-11-08 19:35:46 -------- d-----w- c:\program files\Panda Security

2011-11-08 19:35:46 -------- d-----w- c:\documents and settings\all users\application data\Panda Security

2011-11-08 19:35:24 -------- d-----w- C:\temp

2011-11-06 07:04:27 -------- d-----w- C:\3d7a53254c345f56cdf1771f3baf

2011-11-05 14:49:17 -------- d-----w- c:\program files\Citrix

2011-11-05 14:48:59 72080 ----a-w- c:\documents and settings\administrator\g2mdlhlpx.exe

2011-11-02 00:56:02 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Opera

.

==================== Find3M ====================

.

2011-11-16 05:44:51 414368 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-23 07:49:50 256 --sha-w- c:\windows\system32\sbi_r107.sys

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 12:07:37.28 ===============

attach.txt

Link to post
Share on other sites

OK, it appears that you have a Privacy Protection infection according to you HJT log.

The link below is the uninstall guide:

http://www.bleepingcomputer.com/virus-removal/remove-privacy-protection

--------------------------------

Reboot into safe mode and try these suggestions:

To fix the executable, download and run FixNCR.reg or right click on it and choose merge:

http://download.bleepingcomputer.com/reg/FixNCR.reg

-------------------------------

If you can run HJT.....have it fix these:

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKCU\..\Run: [Privacy Protection] C:\Documents and Settings\All Users\Application Data\privacy.exe

O4 - HKUS\S-1-5-21-1644491937-823518204-1417001333-500\..\Run: [Privacy Protection] C:\Documents and Settings\All Users\Application Data\privacy.exe (User '?')

O4 - HKCU\..\Run: [2876587268] C:\Documents and Settings\Administrator\Local Settings\Application Data\stw.exe

Click on Fix Checked when finished and exit HijackThis.

------------------------------------

Now try to run Malwarebytes.

Let me know....MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.