WiredWX Hobby Weather ToolsLog in

 


descriptionFake Antivirus on Work Laptop EmptyFake Antivirus on Work Laptop

more_horiz
Hi,
My work laptop got infected with Wireshark Antivirus as I was surfing the web last night. I DO NOT have admnisator rigts onthis laptop, therefore it's makng it very difficult to do anything to remove this virus. I have downloaded rkill from 15 different mirrors with no luck. Any antivirus I try to install, it won't let me because I do not have administrator rights. I was able to get task manager open, so I can disable the virus for a minute or 2 but it always pops back up. What can I do to get this laptop working again before MONDAY??? Any help would be VERY appreciated!!

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
OTL logfile created on: 8/14/2010 12:45:50 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\hcistaff\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 244.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 44.95 Gb Free Space | 80.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 873046LT
Current User Name: hcistaff
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/14 12:21:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hcistaff\Desktop\OTL.exe
PRC - [2010/08/14 10:40:19 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\conhost.exe
PRC - [2010/08/14 02:19:41 | 000,059,904 | ---- | M] () -- C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe
PRC - [2010/08/13 22:51:13 | 000,079,872 | -HS- | M] (Ptuqckg Trbpryd) -- C:\Documents and Settings\hcistaff\Application Data\SystemProc\lsass.exe
PRC - [2008/04/14 05:42:42 | 000,293,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wisptis.exe
PRC - [2008/04/14 05:42:38 | 000,271,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tabtip.exe
PRC - [2008/04/14 05:42:38 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/02 01:38:30 | 000,802,816 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2006/08/02 01:27:54 | 000,479,232 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2002/08/29 04:41:28 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tabbtnu.exe


========== Modules (SafeList) ==========

MOD - [2010/08/14 12:21:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hcistaff\Desktop\OTL.exe
MOD - [2008/04/14 05:42:08 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\sptip.dll
MOD - [2008/04/14 05:42:08 | 000,210,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tiptsf.dll
MOD - [2008/04/14 05:42:08 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tipcomponentsps.dll
MOD - [2008/04/14 05:42:00 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msctfp.dll
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 23:09:26 | 002,897,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp2res.dll
MOD - [2008/04/13 22:13:20 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\spgrmr.dll
MOD - [2002/08/29 04:41:08 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Journal\nbmaptip.dll


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://sslvpn.hamiltoncenter.org/dana-na/auth/url_default/welcome.cgi
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2008/04/14 16:07:40 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [000StTHK] C:\WINDOWS\System32\000StTHK.exe ()
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe (TOSHIBA)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TabletTip] C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TabletWizard] C:\WINDOWS\Help\splshwrp.exe (Microsoft Corporation)
O4 - HKCU..\Run: [RTHDBPL] C:\Documents and Settings\hcistaff\Application Data\SystemProc\lsass.exe (Ptuqckg Trbpryd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Download present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207239893781 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208195572328 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://sslvpn.hamiltoncenter.org/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupSP1 Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.85.229.110 76.85.229.111
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hamiltoncenter.org
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\loginkey: DllName - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll (Microsoft Corporation)
O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)
O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/03 11:27:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/14 12:13:04 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hcistaff\Desktop\OTL.exe
[2010/08/14 01:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/08/14 01:07:07 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\hcistaff\Desktop\mbam-setup.exe
[2010/08/14 00:50:04 | 001,870,800 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\hcistaff\Desktop\HousecallLauncher.exe
[2010/08/13 23:49:23 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\hcistaff\Desktop\zztoy.exe
[2010/08/13 23:04:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hcistaff\Application Data\scdata
[2010/08/13 22:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hcistaff\Application Data\Wireshark Antivirus
[2010/08/13 22:55:29 | 002,089,472 | ---- | C] (Intsys) -- C:\Documents and Settings\hcistaff\Application Data\wshark.exe
[2010/08/13 22:51:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\hcistaff\Application Data\SystemProc
[2010/08/12 03:06:13 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2008/04/03 17:02:49 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\BrigthDL.dll
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/08/14 12:45:23 | 000,000,095 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\sh4.dat
[2010/08/14 12:45:23 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\sh3.dat
[2010/08/14 12:45:11 | 000,059,904 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\csrss.exe
[2010/08/14 12:45:11 | 000,002,035 | ---- | M] () -- C:\Documents and Settings\hcistaff\Desktop\Wireshark Antivirus.lnk
[2010/08/14 12:21:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hcistaff\Desktop\OTL.exe
[2010/08/14 10:40:19 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\conhost.exe
[2010/08/14 04:22:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/14 04:22:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/14 04:21:06 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\hcistaff\NTUSER.DAT
[2010/08/14 04:21:06 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\hcistaff\ntuser.ini
[2010/08/14 02:19:41 | 000,059,904 | ---- | M] () -- C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe
[2010/08/14 01:07:15 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\hcistaff\Desktop\mbam-setup.exe
[2010/08/14 00:50:29 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\hcistaff\Local Settings\Application Data\housecall.guid.cache
[2010/08/14 00:50:26 | 001,870,800 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\hcistaff\Desktop\HousecallLauncher.exe
[2010/08/14 00:15:49 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\hcistaff\Desktop\RootRepeal.exe
[2010/08/14 00:14:48 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\hcistaff\Desktop\RootRepeal.zip
[2010/08/14 00:11:43 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\hcistaff\Desktop\rkill.scr
[2010/08/14 00:11:21 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\hcistaff\Desktop\rkill.com
[2010/08/13 23:49:23 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\hcistaff\Desktop\zztoy.exe
[2010/08/13 23:01:08 | 000,018,632 | ---- | M] () -- C:\Documents and Settings\hcistaff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/13 22:57:25 | 000,000,009 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\nuar.old
[2010/08/13 22:57:24 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\skynet.dat
[2010/08/13 22:57:19 | 002,089,472 | ---- | M] (Intsys) -- C:\Documents and Settings\hcistaff\Application Data\wshark.exe
[2010/08/12 03:30:46 | 000,115,768 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/12 03:11:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/12 03:11:04 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/12 03:08:40 | 000,522,418 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/12 03:08:40 | 000,456,832 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/12 03:08:40 | 000,075,854 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/09 19:47:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/02 15:44:49 | 000,055,655 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/07/19 15:03:18 | 005,884,284 | -H-- | M] () -- C:\Documents and Settings\hcistaff\Local Settings\Application Data\IconCache.db
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/14 01:11:49 | 000,059,904 | ---- | C] () -- C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe
[2010/08/14 01:05:45 | 000,002,035 | ---- | C] () -- C:\Documents and Settings\hcistaff\Desktop\Wireshark Antivirus.lnk
[2010/08/14 00:50:29 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\hcistaff\Local Settings\Application Data\housecall.guid.cache
[2010/08/14 00:14:44 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\hcistaff\Desktop\RootRepeal.zip
[2010/08/13 23:46:06 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\hcistaff\Desktop\rkill.com
[2010/08/13 23:39:04 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\hcistaff\Desktop\rkill.scr
[2010/08/13 22:57:25 | 000,098,304 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\conhost.exe
[2010/08/13 22:57:25 | 000,000,009 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\nuar.old
[2010/08/13 22:57:24 | 000,059,904 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\csrss.exe
[2010/08/13 22:57:24 | 000,000,095 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\sh4.dat
[2010/08/13 22:57:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\skynet.dat
[2010/08/13 22:57:24 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\sh3.dat
[2008/04/14 13:43:45 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/04/03 17:02:49 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\Volume.dll
[2008/04/03 15:53:07 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2008/04/03 15:53:07 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2008/04/03 15:53:07 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2008/04/03 15:53:07 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/01/18 06:09:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/01/18 06:09:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/01/18 06:09:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/01/18 06:09:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/09/02 15:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 22:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 18:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 15:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
OTL Extras logfile created on: 8/14/2010 12:45:50 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\hcistaff\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 244.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 44.95 Gb Free Space | 80.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: 873046LT
Current User Name: hcistaff
NOT logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{11447AB1-2B37-49D3-9963-2ACDFA06E04B}" = System Center Essentials Configuration Helper
"{190D0C6E-C8A7-4019-8FB5-FD041EC1F2D2}" = Mobile Broadband Drivers
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{73937067-7195-466C-893F-C18DF9392F83}" = Barracuda Networks Outlook Plug-in
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{90CC4231-94AC-45CD-991A-0253BFAC0650}" = mDrWiFi
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{E7600A9C-6782-4221-984E-AB89C780DC2D}" = System Center Operations Manager 2007 Agent
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ProInst" = Intel(R) PROSet/Wireless Software
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VZAccess Manager" = VZAccess Manager
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Juniper_Term_Services" = Juniper Terminal Services Client

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - Startup: C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe ()
    [2010/08/13 23:04:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hcistaff\Application Data\scdata
    [2010/08/13 22:57:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hcistaff\Application Data\Wireshark Antivirus
    [2010/08/13 22:55:29 | 002,089,472 | ---- | C] (Intsys) -- C:\Documents and Settings\hcistaff\Application Data\wshark.exe
    [2010/08/13 22:51:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\hcistaff\Application Data\SystemProc
    [2010/08/14 12:45:23 | 000,000,095 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\sh4.dat
    [2010/08/14 12:45:23 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\sh3.dat
    [2010/08/14 12:45:11 | 000,059,904 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\csrss.exe
    [2010/08/14 12:45:11 | 000,002,035 | ---- | M] () -- C:\Documents and Settings\hcistaff\Desktop\Wireshark Antivirus.lnk
    [2010/08/14 10:40:19 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\hcistaff\Application Data\conhost.exe
    [2010/08/14 02:19:41 | 000,059,904 | ---- | M] () -- C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe
    [2010/08/13 22:57:25 | 000,000,009 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\nuar.old
    [2010/08/13 22:57:24 | 000,059,904 | ---- | C] () -- C:\Documents and Settings\hcistaff\Application Data\csrss.exe


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Thanks for your help!!!!
Here's what I got:

========== OTL ==========
C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe moved successfully.
C:\Documents and Settings\hcistaff\Application Data\scdata\images folder moved successfully.
C:\Documents and Settings\hcistaff\Application Data\scdata folder moved successfully.
C:\Documents and Settings\hcistaff\Application Data\Wireshark Antivirus folder moved successfully.
C:\Documents and Settings\hcistaff\Application Data\wshark.exe moved successfully.
C:\Documents and Settings\hcistaff\Application Data\SystemProc folder moved successfully.
C:\Documents and Settings\hcistaff\Application Data\sh4.dat moved successfully.
C:\Documents and Settings\hcistaff\Application Data\sh3.dat moved successfully.
C:\Documents and Settings\hcistaff\Application Data\csrss.exe moved successfully.
C:\Documents and Settings\hcistaff\Desktop\Wireshark Antivirus.lnk moved successfully.
C:\Documents and Settings\hcistaff\Application Data\conhost.exe moved successfully.
File C:\Documents and Settings\hcistaff\Start Menu\Programs\Startup\csrss.exe not found.
C:\Documents and Settings\hcistaff\Application Data\nuar.old moved successfully.
File C:\Documents and Settings\hcistaff\Application Data\csrss.exe not found.

OTL by OldTimer - Version 3.2.9.1 log created on 08142010_161445

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Fake Antivirus on Work Laptop CF_download_FF

    Fake Antivirus on Work Laptop CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Fake Antivirus on Work Laptop Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Fake Antivirus on Work Laptop Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
I tried downloading combo fix from both links, but I get an error that says installation failed. Then another box pops up and says Not Admin!! You need administrative privileges to run this tool.
Any suggestions?

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Can you get admin rights on that user account?

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
No, it is my work laptop. I can only log in under my user name.
The fake virus warning has stopped popping up every couple minutes, but I'm still having some symptoms (nothing happens when I click the Start button & I can't delete the multiple copies of rkill I downloaded last night)

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
Hello.
Ah okay, the only way this can work out is ask your boss to remove the permissions so we can fix the infection, then he can replaces the permissions.

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
That sucks! Thanks for your help though!!
I can't just talk to my boss, I have to go through the IS department and they'll trade out my laptop for the newer ones they are using...I had held out trading mine in because I like my current laptop better. The fake anti virus started popping up again this morning though, so I guess I'll have to take it to IS tomorrow...again, thanks for your help!

descriptionFake Antivirus on Work Laptop EmptyRe: Fake Antivirus on Work Laptop

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum