Help with bogus security warning

chatty123

-

Hi everyone. I am hoping here that there are some experts who could help me with my laptop. Now bare in mind although I can use a lappy quite well I am a dumbo middle aged woman when it comes to anything technical,. so please be gentle with me
Anyway here we go. A few days ago when DH was using the comp there was a warning flashing up on the comp that stated there was a serious threat to security. Now I presume he clicked ok to fix this prob as he thought it was something windows recommended. This resulted in a green toolbar and a new home page. Since then the laptop is running very very slow, and the home page is saying " security centre stauts: warning. saying i have to install antispyware software. Also a blue box appears on the top of this saying windows explorer warning. I can't copy all this to show you as it wont allow me, and i don't know whether its safe to copy the link, which says "safesurfingpage.com/security.xp." the link on the home page is just "about blank". Even when i change the homepage it instantly reverts back to this
(A relative did manage to rid of the toolbar by running a scan of some sort but couldn't stay long enough to do anything else)

My son who usually helps me with this is currently overseas on business so i'm helpless.


So please any help guys.

John_Gray

Look at Browntoa's post, which is #2 in this thread. Why isn't it a Sticky, I ask?!

chatty123

Okay thanks here we are:....

Malwarebytes' Anti-Malware 1.30
Database version: 1333
Windows 5.1.2600 Service Pack 3

28/10/2008 19:09:44
mbam-log-2008-10-28 (19-09-44).txt

Scan type: Quick Scan
Objects scanned: 54757
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 45

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\!!3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\!!3b7aaeb1-9f3d-4491-9c06-c7165ca8d058} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!2a5c2e6d-864b-4f2c-9542-8b272741d78b} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UAV (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e8492 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Bar (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f27224f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f17e743.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1fe940.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f272731.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f6696b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\UAV (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Applications\iebt.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00118ECF (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0011947D (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0011975B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0011996E.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00119B43.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\00119C6C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_bfeats.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\UAV\Uninstall.exe (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebr.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebtu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\iebu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcs.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Applications\wcu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\julie\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\julie\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\julie\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\julie\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

Reluctant_spender

Well that cleared out some crap.

Follow that up with this;
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

This does not remove files so is safe.

chatty123

""Well that cleared out some crap.""

seems to have done

on stage 2 now.
watch this space

chatty123

Gosh that took over 2 hours.
anyway bit late but here it is

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 28, 2008 17:18:16
Records in database: 1354557


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
\

Scan statistics
Files scanned 72752
Threat name 3
Infected objects 5
Suspicious objects 0
Duration of the scan 02:23:25

File name Threat name Threats count
C:\Documents and Settings\julie\Local Settings\Temporary Internet Files\Content.IE5\320VX0PL\WAV2008Setup[1].exe Infected: not-a-virus:FraudTool.Win32.MSAntivirus.bf 1

C:\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe Infected: not-a-virus:Dialer.Win32.BT.b 1

C:\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe Infected: not-a-virus:Dialer.Win32.BT.b 1

C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

The selected area was scanned.

Reluctant_spender

Nothing over sinister there.

Your choice, either follow the path of the files and delete or run a scanner that will delete too.

chatty123

Thank you reluctant spender. the 1st scan seemed to have done the trick and got rid of this security homepage.
just the lappy running slow now so will work on that.

think i will tell my son i did it all on my own....lol

thank you again for another great MSE advice