Vista antivirus 2012

I have a laptop here that seems to have been affected by Vista antivirus 2012. My security has been disabled, I cannot enable it. I ran malwarebytes, it scanned only 389 files and claimed 0 affected. I know this can't be right, however the pop-ups have stopped, but now the mouse randomly has a mind of it's own, as if it's being remotely controlled.

Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks or Besttechie


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from Bleepingcomputer or Geekstogo and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper

I ran Malwarebytes an got nothing. No log I can c&p, it says nothing was found...

Ok.Now run Combofix.

ComboFix 11-06-14.01 - Jen & Bill 06/14/2011 18:40:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1001 [GMT -4:00]
Running from: c:\users\Jen & Bill\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\commy.exe
c:\commy.exe\CF15916.cfxxe
c:\commy.exe\mbr.cfxxe
c:\commy.exe\mbr.txt
c:\users\Jen & Bill\AppData\Local\qoo.exe
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\banned-ips.txt
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\banned-players.txt
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\ops.txt
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\server.log
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\server.properties
c:\users\Jen & Bill\AppData\Roaming\Microsoft\Windows\Recent\white-list.txt
c:\users\RPGXP\RPGXP.exe
c:\users\RPGXP\System
c:\users\RPGXP\System\Data\Actors.rxdata
c:\users\RPGXP\System\Data\Animations.rxdata
c:\users\RPGXP\System\Data\Armors.rxdata
c:\users\RPGXP\System\Data\Classes.rxdata
c:\users\RPGXP\System\Data\CommonEvents.rxdata
c:\users\RPGXP\System\Data\Enemies.rxdata
c:\users\RPGXP\System\Data\Items.rxdata
c:\users\RPGXP\System\Data\Map001.rxdata
c:\users\RPGXP\System\Data\MapInfos.rxdata
c:\users\RPGXP\System\Data\Scripts.rxdata
c:\users\RPGXP\System\Data\Skills.rxdata
c:\users\RPGXP\System\Data\States.rxdata
c:\users\RPGXP\System\Data\System.rxdata
c:\users\RPGXP\System\Data\Tilesets.rxdata
c:\users\RPGXP\System\Data\Troops.rxdata
c:\users\RPGXP\System\Data\Weapons.rxdata
c:\users\RPGXP\System\Game.exe
c:\windows\system32\Ijl11.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))
.
.
2011-06-14 17:52 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 17:52 . 2011-06-14 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-14 17:52 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-10 17:31 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4B1CE669-09C8-4241-BBC7-5CE90D733688}\mpengine.dll
2011-06-03 21:38 . 2011-06-03 21:38 -------- d-----w- c:\program files\Terraria
2011-06-03 12:49 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-06-03 12:49 . 2011-06-03 12:49 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-06-02 21:13 . 2011-06-02 21:13 -------- d-----w- c:\users\Jen & Bill\AppData\Roaming\Mind Control Software
2011-06-02 21:08 . 2011-06-02 21:08 -------- d-----w- c:\users\Jen & Bill\AppData\Local\Oberon Media
2011-06-02 19:00 . 2011-06-02 19:00 -------- d-----w- c:\users\Jen & Bill\AppData\Local\2DBoy
2011-06-02 19:00 . 2011-06-02 19:00 -------- d-----w- c:\programdata\2DBoy
2011-05-26 18:46 . 2011-05-26 18:46 -------- d-----w- c:\users\Jen & Bill\AppData\Local\Octodad
2011-05-26 18:44 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-05-26 18:44 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-05-26 18:44 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-05-26 18:44 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-05-26 18:44 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-05-26 18:44 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-05-26 18:44 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-05-26 18:44 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-05-26 18:42 . 2011-06-13 18:58 -------- d-----w- c:\program files\Octodad
2011-05-25 00:34 . 2010-02-04 14:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-05-25 00:34 . 2010-02-04 14:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-05-25 00:34 . 2010-02-04 14:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-05-25 00:34 . 2010-02-04 14:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-05-25 00:34 . 2011-05-25 00:34 -------- d-----w- c:\program files\Microsoft XNA
2011-05-24 21:57 . 2011-06-13 18:51 -------- d-----w- c:\users\Jen & Bill\AppData\Roaming\Solveig Multimedia
2011-05-24 17:07 . 2011-05-24 17:07 -------- d-----w- c:\program files\Microsoft SQL Server
2011-05-24 17:06 . 2011-05-24 17:06 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-05-24 17:06 . 2011-05-24 17:06 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-05-24 17:06 . 2011-05-24 17:08 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2011-05-24 17:03 . 2011-05-24 17:08 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-05-24 17:03 . 2011-05-24 17:03 -------- d-----w- c:\program files\Microsoft SDKs
2011-05-24 17:03 . 2011-05-24 17:03 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-05-24 17:01 . 2011-05-24 17:01 -------- d-----w- c:\windows\PCHEALTH
2011-05-16 20:50 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-16 20:50 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-16 20:50 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-16 20:50 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-16 20:50 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-16 20:50 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-16 20:50 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-16 20:50 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-20 15:35 . 2010-06-04 18:51 925080 ----a-w- c:\program files\HyCam2.exe
2010-09-28 13:13 . 2010-06-04 18:51 44032 ----a-w- c:\program files\MClick2.dll
2010-07-09 17:48 . 2010-06-04 18:51 132608 ----a-w- c:\program files\CamRes2.dll
2010-04-26 21:05 . 2010-06-04 18:51 78248 ----a-w- c:\program files\UnHyCam2.exe
2011-04-14 16:26 . 2011-05-16 20:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-22 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2241623534-2856479081-2054934141-1000]
"EnableNotificationsRef"=dword:00000003
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-01-28 51792]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 1336712]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2010-05-06 18944]
S3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-01-30 205312]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www6.comcast.net/a/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6459
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
FF - ProfilePath - c:\users\Jen & Bill\AppData\Roaming\Mozilla\Firefox\Profiles\j1md7pym.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe
HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe
HKLM_ActiveSetup-ccc-core-static - msiexec
AddRemove-FE1DFAE4-5EA6-42DC-AAF6-D870FEF0E558 - c:\users\Jen & Bill\Desktop\Mario SMBX\uninstall.exe
AddRemove-{C9EAEE6B-741F-421D-B9CE-9FA300DA92AD}_is1 - c:\users\Jen & Bill\Desktop\SMBX\unins001.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-14 18:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2241623534-2856479081-2054934141-1000\Software\SecuROM\License information*]
"datasecu"=hex:6a,15,02,7b,4e,73,4d,3b,48,bd,b6,fd,84,f2,ad,85,4b,dc,82,25,c0,
55,48,28,5d,f2,de,1f,07,a6,25,64,a7,da,03,9a,5e,c8,45,86,ec,9c,32,80,ae,db,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-06-14 18:53:47
ComboFix-quarantined-files.txt 2011-06-14 22:53
.
Pre-Run: 20,511,944,704 bytes free
Post-Run: 22,914,781,184 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 56ECAE1B72F976824703A03C5518656A

Just this last one to fix and your done....

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:5555
then uncheck "Use a proxy server" and check "Automatically detect settings". You will have to reboot the machine after installing.

Pancake wrote:

remove the reference to 127.0.0.1:5555
then uncheck "Use a proxy server"

The above wasn't there/checked, but I did the rest. Hopefully that's good?

Thanks a lot! :-)

Ok.All done.I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall






Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download OTC to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Afterwork

Malware Prevention

How Did I Get Infected

More Tips on Prevention

=============================

Ok, done with that. However now, I can't re-register Avast, I can't upgrade it, I can't uninstall it. It won't upgrade because it's expired, when I go to the registration page, it does nothing when I click on it. I can't uninstall, it just says "There was an error during uninstallation."

I can't find anything on their support site that would help. :-/

Try this...

http://www.revouninstaller.com/revo_uninstaller_free_download.html

That didn't work. It's requiring to use the application's built-in uninstaller, which isn't working and not uninstalling.

All I can suggest is that you do a search and delete all files found.

thanks, I found the problem... older version hiding out in the newer version's folder. No clue why it was there, but it's gone, all is well now.

Big thanks for all you do!!!

Your welcome.Glad to help.