Jump to content

Total Security version 4.52 virus , logs here.

Recommended Posts


So i got this virus 2 days ago from msn.

Its the fake virus scanner Total Security 4.52

I've tried scanning it with Malwarebytes, it helps for a bit..but after restart the virus is back.

I dunno what to do now.....pleeeease help :lol:

So here is the log from Hjackthis thingy.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:43:10, on 25.08.2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20733)

Boot mode: Normal

Running processes:











C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe

C:Program FilesCommon FilesAVerMediaServiceAVerRemote.exe

C:Program FilesCommon FilesAVerMediaServiceAVerScheduleService.exe

C:Program FilesBonjourmDNSResponder.exe

C:Program FilesJavajre6binjqs.exe

C:Program FilesCommon FilesAVerMediaFujitsu RCAVerHIDReceiver.exe

C:Program FilesATI TechnologiesATI.ACECLI.EXE

C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe


C:Program FilesWinampwinampa.exe

C:Program FilesiTunesiTunesHelper.exe

C:Program FilesJavajre6binjusched.exe

C:Program FilesSweetIMMessengerSweetIM.exe


C:Program FilesAnti-Virus&TrojanAnti-Virus&Trojan.exe

C:Program FilesCommon FilesAVerMediaFujitsu RCAVerQuick.exe

C:Program FilesWindows LiveMessengermsnmsgr.exe


C:Program FilesiPodbiniPodService.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesATI TechnologiesATI.ACEcli.exe

C:Program FilesWindows LiveContactswlcomm.exe

C:Program FilesMozilla Firefoxfirefox.exe

C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.bearshare.com/

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1061

R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local

R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:Program FilesSweetIMToolbarsInternet ExplorermgHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MICROS~2Office12GRA8E1~1.DLL

O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:Program FilesBearShare ApplicationsBearShareBearShareIEHelper.dll

O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll

O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:Program FilesSweetIMToolbarsInternet ExplorermgToolbarIE.dll

O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:Program FilesSweetIMToolbarsInternet ExplorermgToolbarIE.dll

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:Program FilesBearShare ApplicationsBearShare MediaBarBearShareMediaBar.dll

O4 - HKLM..Run: [ATICCC] "C:Program FilesATI TechnologiesATI.ACECLIStart.exe"


O4 - HKLM..Run: [skyTel] SkyTel.EXE

O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..Run: [AzMixerSel] C:Program FilesRealtekInstallShieldAzMixerSel.exe

O4 - HKLM..Run: [iNPROCOMMWireless] C:Program FilesAtherosWirelessUtilityWlanUtil.exe

O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe

O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"

O4 - HKLM..Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKLM..Run: [WinampAgent] "C:Program FilesWinampwinampa.exe"

O4 - HKLM..Run: [AppleSyncNotifier] C:Program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe

O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime

O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"

O4 - HKLM..Run: [sunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"

O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"

O4 - HKLM..Run: [sweetIM] C:Program FilesSweetIMMessengerSweetIM.exe

O4 - HKLM..Run: [11475464] C:Documents and SettingsAll UsersApplication Data1147546411475464.exe

O4 - HKCU..Run: [MsnMsgr] ~"C:Program FilesWindows LiveMessengermsnmsgr.exe" /background

O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe



O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')

O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE

O4 - Global Startup: Anti-Virus&Trojan.lnk = C:Program FilesAnti-Virus&TrojanAnti-Virus&Trojan.exe

O4 - Global Startup: AVer HID Receiver.lnk = C:Program FilesCommon FilesAVerMediaFujitsu RCAVerHIDReceiver.exe

O4 - Global Startup: Fujitsu RC.lnk = C:Program FilesCommon FilesAVerMediaFujitsu RCAVerQuick.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:PROGRA~1MICROS~2Office12GR99D3~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe

O23 - Service: AVerRemote - AVerMedia - C:Program FilesCommon FilesAVerMediaServiceAVerRemote.exe

O23 - Service: AVerScheduleService - Unknown owner - C:Program FilesCommon FilesAVerMediaServiceAVerScheduleService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe


End of file - 8567 bytes

ALSO..here is Malwarebytes log ( i did it with Quick Scan and before doing these both logs.. i deleted the *randomnumber*.exe thing from Task Manager, to do Malwarebytes. :

Malwarebytes' Anti-Malware 1.40

Database version: 2688

Windows 5.1.2600 Service Pack 2

25.08.2009 17:55:09

mbam-log-2009-08-25 (17-55-09).txt

Scan type: Quick Scan

Objects scanned: 92432

Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11475464 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Please help me?

Link to post
Share on other sites

  • Staff

Hi flemzy and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.


Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.