[CLBridges]

I've read the forum requirements and hope I'm doing this correctly. I've downloaded and installed the following:

HiJackFree
a-squared Free (and updated the files)
CCleaner Slim
ISeeYouXP

I ran CCleaner Slim, and did a full system scan with a-squared and have saved the log. But now, when I try to run ISeeYouXP, I get this WARNING:

Application cannot be executed. The file is infected. Please activate your antivirus software.

I've attached the saved file from the a-squared scan. Please advise how to proceed.

Also, I'd like to mention that I currently have Norton Internet Security Suite installed and whatever's happened to my computer slipped right by it without a mention. The a-squared scan found many things.. and Norton says I'm 'clean'! My Norton subscription expires in 31 days and I am NOT renewing it!

Thanks!

Attached File(s)

•  a2scan_100209-001751.txt (6.73K)
  Number of downloads: 38

[Lynx]

Hi CLBridges, welcome to the forum

You have to deactivate any real-time resident (better) or ignore that
message - the flagging of ISeeYouXP is False Positive

Malware removal Tools can be flagged for different reasons.
They can be packed / they can use the same code as malware is using, etc.

So please attach all required log files

My regards

[CLBridges]

Lynx, on 09 February 2010 - 03:24 PM, said:

..the flagging of ISeeYouXP is False Positive..

Yeah, I figured as much

Quote

So please attach all required log files

When I get the error message, it closes ISeeYouXP. How do I go about executing the file so I can send it to you?

Thanks for the quick response!

Carrie**

[Lynx]

Can you be more specific about the message?
It is the message by ...? does it really says "activate"

You can even post an image.

What OS / platform you are running?

Have you disabled existing security?

Are there problems with running HiJackFree too?

[CLBridges]

No, I hadn't disabled Norton, but I have now.. I am running Windows XP Professional, Version 2002 Service Pack 3.

I believe the error message is coming from Internet Security 2010, which from what I understand is a bogus scanning software that gives you all kinds of 'infection' messages so you'll download (for money) their software to fix it. I've also got smss32.exe under Win32.Fakeinit!IK showing up.

I hadn't tried running HiJackFree yet.. thought I had to do it in order. But I will, and attach the log.

Oh shizzle.. I've got to leave for work in a few so it'll have to wait till tonight when I get home.

But the error message said exactly what I had shown. I'll try to screen capture it later. A lot of my programs are getting that same error message as if they're infected. But I was pretty sure they weren't.

Thanks for your help, Lynx.

Carrie**

[Lynx]

I see.
Take your time - you will be advised by ShadowPuterDude re: fake AV and how to proceed

My regards

[CLBridges]

Don't know where the idea came from, but when I left the 'WARNING' window open and tried executing the file again, it worked!!

So attached are the log files requested.

Thanks for all of your help!

Carrie**

Attached File(s)

•  a2scan_100209-001751.txt (6.73K)
  Number of downloads: 8
•  ISeeYouXP.txt (134.42K)
  Number of downloads: 3
•  HiJackFree.log (15.61K)
  Number of downloads: 2

[ShadowPuterDude]

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Shell"="explorer.exe"
  "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,"
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr"=-
  
  :Files
  helper32.dll /lsp
  winhelper86.dll /lsp
  %HOMEDRIVE%\Internet Security 2010.lnk /s
  %systemroot%\System32\winlogon32.exe
  %systemroot%\System32\smss32.exe
  %systemroot%\System32\AVR10.exe
  %systemroot%\System32\helper32.dll
  %systemroot%\System32\winlogon32.exe
  %systemroot%\System32\smss32.exe
  %systemroot%\System32\warning.html
  %systemroot%\system32\IS15.exe
  %systemroot%\System32\winhelper86.dll
  %HOMEDRIVE%\trhh.exe
  %HOMEDRIVE%\sdigdvmg.exe
  %HOMEDRIVE%\wgqi.exe
  %HOMEDRIVE%\byyk.exe
  %systemroot%\lsass.exe 
  %systemroot%\odbn0.exe
  %systemroot%\System32\sdra64.exe
  %systemroot%\System32\41.exe
  %systemroot%\System32\153.exe
  %systemroot%\System32\292.exe
  %systemroot%\System32\491.exe
  %systemroot%\System32\1869.exe
  %systemroot%\system32\2876.exe
  %systemroot%\System32\2995.exe
  %systemroot%\System32\3902.exe
  %systemroot%\System32\4827.exe
  %systemroot%\System32\5436.exe
  %systemroot%\System32\5447.exe
  %systemroot%\System32\5705.exe
  %systemroot%\System32\6334.exe
  %systemroot%\System32\7376.exe
  %systemroot%\System32\9961.exe
  %systemroot%\System32\11478.exe
  %systemroot%\System32\11538.exe
  %systemroot%\System32\11942.exe
  %systemroot%\System32\12382.exe
  %systemroot%\system32\12662.exe
  %systemroot%\System32\13931.exe
  %systemroot%\system32\14070.exe
  %systemroot%\System32\14604.exe
  %systemroot%\System32\14771.exe
  %systemroot%\System32\15724.exe
  %systemroot%\System32\16827.exe
  %systemroot%\System32\16944.exe
  %systemroot%\system32\17125.exe
  %systemroot%\System32\17421.exe
  %systemroot%\System32\18467.exe
  %systemroot%\System32\18716.exe
  %systemroot%\System32\19169.exe
  %systemroot%\System32\19718.exe
  %systemroot%\System32\19895.exe
  %systemroot%\system32\19905.exe
  %systemroot%\System32\19912.exe
  %systemroot%\system32\21386.exe
  %systemroot%\System32\21726.exe
  %systemroot%\system32\22934.exe
  %systemroot%\System32\23281.exe
  %systemroot%\system32\24242.exe
  %systemroot%\System32\24464.exe
  %systemroot%\system32\24478.exe
  %systemroot%\System32\26308.exe
  %systemroot%\System32\26500.exe
  %systemroot%\System32\26962.exe
  %systemroot%\system32\27213.exe
  %systemroot%\System32\28145.exe
  %systemroot%\system32\28466.exe
  %systemroot%\System32\29358.exe
  %systemroot%\System32\32391.exe
  %systemroot%\System32\32439.exe
  %systemroot%\system32\ndisdrv.sys
  %HOMEDRIVE%\s
  %systemroot%\system32\kbdsock.dll
  %systemroot%\system32\mshlps.dll 
  %systemroot%\system32\drivers\kdrhkukb.sys 
  %PROGRAMFILES%\InternetSecurity2010
  %systemroot%\System32\lowsec
  
  :Services
  lmuytnv
  ndisdrv
  qvazdxe
  
  :Commands
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT] 
  [resethosts]
  

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, it wont take long.

Attach logs for:

• OTL
  
• a-squared Free/Anti-Malware
  
• ISeeYouXP
  
• HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[CLBridges]

ShadowPuterDude, on 11 February 2010 - 10:53 AM, said:

and also let me know how things are running now!

Seems to be back to it's old self again! I've attached the new scans..

Thanks!

Carrie**

Attached File(s)

•  a2scan_100211-202345.txt (9.75K)
  Number of downloads: 3
•  HiJackFree.log (15.33K)
  Number of downloads: 3
•  ISeeYouXP.txt (137.84K)
  Number of downloads: 2
•  02112010_200535.log (13.52K)
  Number of downloads: 3

[ShadowPuterDude]

Much better, but we still have some stuff that needs to be removed.

Run OTL.

Make sure all other windows are closed and to let it run uninterrupted.

• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    
  • Attach both logs with your next reply.

[CLBridges]

OTL and EXTRAS files are attached as requested.

Thanks!

Carrie**

Attached File(s)

•  OTL.Txt (101.68K)
  Number of downloads: 2
•  Extras.Txt (47.01K)
  Number of downloads: 2

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  SRV - (WMP54Gv4SVC) --  File not found
  SRV - (tmlisten) --  File not found
  SRV - (OfcPfwSvc) --  File not found
  SRV - (ntrtscan) --  File not found
  O15 - HKLM\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
  O15 - HKLM\..Trusted Domains: buy-is2010.com ([]http in Trusted sites)
  O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
  O15 - HKCU\..Trusted Domains: buy-internetsecurity10.com ([]http in Trusted sites)
  O15 - HKCU\..Trusted Domains: buy-is2010.com ([]http in Trusted sites)
  O15 - HKCU\..Trusted Domains: is10-soft-download.com ([]http in Trusted sites)
  O15 - HKCU\..Trusted Domains: is-software-download.com ([]http in Trusted sites)
  O15 - HKCU\..Trusted Domains: is-software-download25.com ([]http in Trusted sites)
  O33 - MountPoints2\{6af5ebed-3a9f-11de-a503-0018f8b0ceff}\Shell\AutoRun\command - "" = H:\setupSNK.exe -- File not found
  O33 - MountPoints2\{9a1e5ee3-c44f-11dd-a48d-000874c1f9d1}\Shell\AutoRun\command - "" = H:\LinksysConnectPC.exe -- File not found
  
  :Files
  C:\WINDOWS\System32\15281.exe
  C:\WINDOWS\System32\14798.exe
  C:\WINDOWS\System32\19796.exe
  C:\WINDOWS\System32\20580.exe
  C:\WINDOWS\System32\6618.exe
  C:\WINDOWS\System32\13458.exe
  C:\WINDOWS\System32\25200.exe
  C:\WINDOWS\System32\7448.exe
  C:\WINDOWS\System32\9503.exe
  C:\WINDOWS\System32\29314.exe
  C:\WINDOWS\System32\1587.exe
  C:\WINDOWS\System32\30523.exe
  C:\WINDOWS\System32\14343.exe
  C:\WINDOWS\System32\3093.exe
  C:\WINDOWS\System32\20485.exe
  C:\WINDOWS\System32\3195.exe
  C:\WINDOWS\System32\32702.exe
  C:\WINDOWS\System32\14989.exe
  C:\WINDOWS\System32\32609.exe
  C:\WINDOWS\System32\5844.exe
  C:\WINDOWS\System32\11008.exe
  C:\WINDOWS\System32\6224.exe
  C:\WINDOWS\System32\30303.exe
  C:\WINDOWS\System32\22798.exe
  C:\WINDOWS\System32\31556.exe
  C:\WINDOWS\System32\16519.exe
  C:\WINDOWS\System32\5249.exe
  C:\WINDOWS\System32\20600.exe
  C:\WINDOWS\System32\17451.exe
  C:\WINDOWS\System32\18935.exe
  C:\WINDOWS\System32\7616.exe
  C:\WINDOWS\System32\14309.exe
  C:\WINDOWS\System32\9514.exe
  C:\WINDOWS\System32\22813.exe
  C:\WINDOWS\System32\6617.exe
  C:\WINDOWS\System32\14310.exe
  C:\WINDOWS\System32\2421.exe
  C:\WINDOWS\System32\17807.exe
  C:\WINDOWS\System32\22483.exe
  C:\WINDOWS\System32\24648.exe
  C:\WINDOWS\System32\14893.exe
  C:\WINDOWS\System32\3728.exe
  C:\WINDOWS\System32\467.exe
  C:\WINDOWS\System32\18127.exe
  C:\WINDOWS\System32\3788.exe
  C:\WINDOWS\System32\6900.exe
  C:\WINDOWS\System32\27938.exe
  C:\WINDOWS\System32\26418.exe
  C:\WINDOWS\System32\1999.exe
  C:\WINDOWS\System32\53.exe
  C:\WINDOWS\System32\4734.exe
  C:\WINDOWS\System32\8281.exe
  C:\WINDOWS\System32\24484.exe
  C:\WINDOWS\System32\19668.exe
  C:\WINDOWS\System32\23199.exe
  C:\WINDOWS\System32\27348.exe
  C:\WINDOWS\System32\24021.exe
  C:\WINDOWS\System32\4596.exe
  C:\WINDOWS\System32\11020.exe
  C:\WINDOWS\System32\9374.exe
  C:\WINDOWS\System32\30836.exe
  C:\WINDOWS\System32\10291.exe
  C:\WINDOWS\System32\24350.exe
  C:\WINDOWS\System32\3602.exe
  C:\WINDOWS\System32\4041.exe
  C:\WINDOWS\System32\27595.exe
  C:\WINDOWS\System32\6483.exe
  C:\WINDOWS\System32\21548.exe
  C:\WINDOWS\System32\20537.exe
  C:\WINDOWS\System32\27624.exe
  C:\WINDOWS\System32\6359.exe
  C:\WINDOWS\System32\17410.exe
  C:\WINDOWS\System32\1655.exe
  C:\WINDOWS\System32\18762.exe
  C:\WINDOWS\System32\32591.exe
  C:\WINDOWS\System32\900.exe
  C:\WINDOWS\System32\29168.exe
  C:\WINDOWS\System32\16413.exe
  C:\WINDOWS\System32\13030.exe
  C:\WINDOWS\System32\27506.exe
  C:\WINDOWS\System32\24946.exe
  C:\WINDOWS\System32\6422.exe
  C:\WINDOWS\System32\18588.exe
  C:\WINDOWS\System32\24221.exe
  C:\WINDOWS\System32\9758.exe
  C:\WINDOWS\System32\32209.exe
  C:\WINDOWS\System32\8909.exe
  C:\WINDOWS\System32\14945.exe
  C:\WINDOWS\System32\10383.exe
  C:\WINDOWS\System32\27753.exe
  C:\WINDOWS\System32\12287.exe
  C:\WINDOWS\System32\15457.exe
  C:\WINDOWS\System32\11337.exe
  C:\WINDOWS\System32\18007.exe
  C:\WINDOWS\System32\30191.exe
  C:\WINDOWS\System32\31107.exe
  C:\WINDOWS\System32\3430.exe
  C:\WINDOWS\System32\13966.exe
  C:\WINDOWS\System32\21724.exe
  C:\WINDOWS\System32\16941.exe
  C:\WINDOWS\System32\1150.exe
  C:\WINDOWS\System32\27350.exe
  C:\WINDOWS\System32\12052.exe
  C:\WINDOWS\System32\4031.exe
  C:\WINDOWS\System32\15574.exe
  C:\WINDOWS\System32\23655.exe
  C:\WINDOWS\System32\24767.exe
  C:\WINDOWS\System32\22355.exe
  C:\WINDOWS\System32\18636.exe
  C:\WINDOWS\System32\9161.exe
  C:\WINDOWS\System32\13290.exe
  C:\WINDOWS\System32\23986.exe
  C:\WINDOWS\System32\16512.exe
  C:\WINDOWS\System32\5097.exe
  C:\WINDOWS\System32\15573.exe
  C:\WINDOWS\System32\26777.exe
  C:\WINDOWS\System32\5829.exe
  C:\WINDOWS\System32\6270.exe
  C:\WINDOWS\System32\19072.exe
  C:\WINDOWS\System32\26924.exe
  C:\WINDOWS\System32\28745.exe
  C:\WINDOWS\System32\5021.exe
  C:\WINDOWS\System32\22386.exe
  C:\WINDOWS\System32\31673.exe
  C:\WINDOWS\System32\2306.exe
  C:\WINDOWS\System32\13977.exe
  C:\WINDOWS\System32\9930.exe
  C:\WINDOWS\System32\22704.exe
  C:\WINDOWS\System32\29658.exe
  C:\WINDOWS\System32\4639.exe
  C:\WINDOWS\System32\31115.exe
  C:\WINDOWS\System32\4833.exe
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [start explorer]
  [Reboot]
  

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new OTL log (don't check the boxes beside LOP Check or Purity this time)

[CLBridges]

New OTL log attached.

Thanks!

Attached File(s)

•  02162010_183935.log (20.74K)
  Number of downloads: 3

[ShadowPuterDude]

OK, let's get a fresh set of logs.

Attach logs for:

• a-squared Free/Anti-Malware
  
• ISeeYouXP
  
• HiJackFree

Let me know how things are running now!

[CLBridges]

Fresh set of logs attached. The most noticeable thing so far is that the time it took to run a DEEP SCAN has been cut by almost an HOUR!

WOOHOO!

Carrie**

Attached File(s)

•  ISeeYouXP.txt (129.33K)
  Number of downloads: 2
•  HiJackFree.log (14.27K)
  Number of downloads: 3
•  a2scan_100216-220609.txt (17.66K)
  Number of downloads: 3

[ShadowPuterDude]

Your logs looking much better. However, you have several items disabled via MsConfiig, including some malware. I need you to enable everything that is disabled in MsConfig.

Reboot

Attach a fresh ISeeYouXP log.

[CLBridges]

Here is the new ISeeYouXP log after enabling everything in MSCONFIG and rebooting..

Attached File(s)

•  ISeeYouXP.txt (122.44K)
  Number of downloads: 3

[ShadowPuterDude]

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u18 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

Quote

Java™ 6 Update 3
Search Settings v1.2.3

-----------------------------------------------------------

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Internet Security 2010"=-


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"smss32.exe"=-
"SearchSettings"=-
"PromoReg"=-
"30252921"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Download Avenger from HERE and unzip to your desktop.

• Run Avenger
  
• Read the prompt that appears, and press OK
  
• Copy & paste the following text in Input script Box:
  

  Files to delete:
  C:\DOCUME~1\ALLUSE~1\APPLIC~1\30252921\30252921.exe
  C:\Program Files\InternetSecurity2010\IS2010.exe
  C:\Program Files\Search Settings\SearchSettings.exe
  C:\WINDOWS\system32\smss32.exe
  C:\WINDOWS\Temp\_ex-08.exe
  
  Folders to delete:
  C:\DOCUME~1\ALLUSE~1\APPLIC~1\30252921
  C:\Program Files\InternetSecurity2010
  C:\Program Files\Search Settings
  

  
  Then click "Execute".
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Attach that log here in your next post.

-----------------------------------------------------------

Attach logs for:

• Avenger (C:\avenger.txt)
  
• ISeeYouXP
  
• HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[CLBridges]

New logs attached..

Thanks!

Carrie**

Attached File(s)

•  avenger.txt (4.53K)
  Number of downloads: 2
•  ISeeYouXP.txt (122.01K)
  Number of downloads: 3
•  HiJackFree.log (15.47K)
  Number of downloads: 2

[ShadowPuterDude]

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
  
• Download OTC to your desktop and run it
  
• A list of tool components used in the cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  
• Click Yes to begin the cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present)

Delete the following from your Desktop (If they exist)
Avenger.exe
Avenger.txt
Avenger.zip
CFscript.txt
dds.scr
dds.pif
DisableAutoRuns.reg
fixes.bat
FixMe.reg
FixReg.reg
ISeeYouXP.exe
ISeeYouXP.lnk
ISeeYouXP.txt
Win32kDiag.exe
Win32kDiag.txt
Anything else I had you use

Delete the following files: (If they exist)
C:\Avenger.txt
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\Avenger
C:\AvoidTDSS
C:\ComboFix
C:\SDFix
C:\Qoobox

Empty the Recycle Bin

Run CCleaner

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

Inside the ISeeYouXP folder, locate and double-click HideIT.bat (C:\ISeeYouXP\HideIT.bat). This will return viewing of Hidden and System Files and Folders to the default settings.

Delete C:\ISeeYouXP

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
Protect Yourself From Malware: Tools And Tips
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety

That should take care of everything.

Safe Surfing!

[ShadowPuterDude]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread