XP 2013 Security Update

lisa76

Whilst the other half was browing the internet yesterday he said Windows XP 2013 Security Alert popped up and starting scanning the laptop and finding infections etc etc. We have the official looking security shield in the bottom right hand corner and it keeps popping up with security alerts (someone is trying to hijack your pc etc etc). We now cannot open the internet as it says all the pages are dangerous. I have run a full avast scan and it found 2 infections that it deleted. I've run CC Cleaner and ran malware in safe mode last night (found nothing) but we're not getting anywhere.

I wanted to run hijackthis to post a log on here but it won't let me open it.

Hubby is home today so he'll be working through the remove malware/spyware guide but I was just wondering if there was a 'quick fix'?

Grateful for any advice

macman

Try running Malwarebytes in Safe Mode.
I am not sure if you are aware that 'Windows Security Alert 2013' is the malware?

50Twuncle

Will it let you into SAFE MODE ?
Try running your security programs in that mode ....

50Twuncle

macman wrote: »

Try running Malwarebytes in Safe Mode.
I am not sure if you are aware that 'Windows Security Alert 2013' is the malware?

great minds........

lisa76

Thanks both, we ran malwarebytes in safe mode last night and it found nothing but we'll now run avast, malwarebytes and cccleaner all in safe mode and see what happens.

Cheers

GunJack

http://www.bleepingcomputer.com/virus-removal/remove-xp-defender-2013

these instructions will probably sort you out, seems to be the same basic virus family as you have

waddler_8

Malwarebytes is optimised to work at it's best in normal mode (It has a driver that doesn't load in safe mode)

To get it running in normal mode if the malware blocks it, use it's chameleon technology.

http://helpdesk.malwarebytes.org/entries/21892442-should-i-scan-with-malwarebytes-anti-malware-in-safe-mode

CCleaner isn't security software - it just cleans out temp files.

waddler_8

If you still have problems post a DDS log - It should only take 2-3 minutes.

Download DDS from the link below and save it to your desktop:

Link

After you've downloaded it and saved it to your desktop:

• Double click DDS to run it.
• When it's finished, DDS will open two logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop.

Copy & paste the contents of just DDS.txt for now and post it here (you may need to split the log over separate posts)

lisa76

Right after a whole day of hubby sat here working through avast etc etc it looks like the chameleon way has worked - thanks sooo much guys for your help!

If you don't mind I'll run whatever DDS thing you've suggested Waddler just to see if you can see any other nasties as I don't want something to be lurking.

I keep avast running and up to date so I am worried that this managed to get through!

lisa76

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 26/08/2006 23:03:10
System Uptime: 11/12/2012 15:38:42 (3 hours ago)
.
Motherboard: Dell Inc. | | 0RJ272
Processor: Intel(R) Pentium(R) M processor 1.70GHz | Microprocessor | 1695/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 53 GiB total, 9.978 GiB free.
is FIXED (NTFS) - 19 GiB total, 17.217 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1540: 09/11/2012 13:57:13 - System Checkpoint
RP1541: 10/11/2012 14:16:43 - System Checkpoint
RP1542: 11/11/2012 15:24:48 - System Checkpoint
RP1543: 12/11/2012 16:26:36 - System Checkpoint
RP1544: 13/11/2012 16:36:57 - System Checkpoint
RP1545: 14/11/2012 17:26:53 - System Checkpoint
RP1546: 15/11/2012 18:14:54 - System Checkpoint
RP1547: 15/11/2012 20:02:47 - Software Distribution Service 3.0
RP1548: 16/11/2012 08:20:52 - Software Distribution Service 3.0
RP1549: 17/11/2012 10:45:55 - System Checkpoint
RP1550: 18/11/2012 10:51:13 - System Checkpoint
RP1551: 19/11/2012 13:01:22 - System Checkpoint
RP1552: 20/11/2012 13:51:55 - System Checkpoint
RP1553: 21/11/2012 14:25:29 - System Checkpoint
RP1554: 23/11/2012 15:58:26 - System Checkpoint
RP1555: 24/11/2012 16:25:04 - System Checkpoint
RP1556: 25/11/2012 16:42:58 - System Checkpoint
RP1557: 26/11/2012 18:19:23 - System Checkpoint
RP1558: 27/11/2012 20:48:20 - System Checkpoint
RP1559: 29/11/2012 14:31:59 - System Checkpoint
RP1560: 30/11/2012 17:23:24 - System Checkpoint
RP1561: 01/12/2012 18:11:58 - System Checkpoint
RP1562: 02/12/2012 18:52:42 - System Checkpoint
RP1563: 03/12/2012 19:41:19 - System Checkpoint
RP1564: 04/12/2012 19:55:34 - System Checkpoint
RP1565: 05/12/2012 20:21:50 - System Checkpoint
RP1566: 07/12/2012 12:46:30 - System Checkpoint
RP1567: 08/12/2012 13:30:00 - System Checkpoint
RP1568: 09/12/2012 14:09:42 - System Checkpoint
RP1569: 10/12/2012 16:21:53 - System Checkpoint
.
==== Installed Programs ======================
.
924PLC32
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.6
Akamai NetSession Interface
ArtistScope Plugin IE
avast! Free Antivirus
BlackBerry v4.2.2 for the 8320 Series Wireless Handheld
Bonjour
Broadcom Management Programs
CCleaner
CinepPlayer 30 Update
CleanMem
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coupon Printer
Critical Update for Windows Media Player 11 (KB959772)
Defraggler
Dell CinePlayer

lisa76

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Boyo at 18:38:45 on 2012-12-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.766 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.moneysavingexpert.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uProxyOverride = localhost;*.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348385168718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.tescophoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{49796700-3288-4BF7-8A68-35E70B540249} : DHCPNameServer = 192.168.1.1
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs= c:\progra~1\google\google~3\goec62~1.dll, c:\progra~1\google\google~3\goec62~1.dll
SSODL: CDBurn - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {8d332d3a-0114-4492-8521-c2b93b4db160} - <orphaned>
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\boyo\application data\mozilla\firefox\profiles\mi18a8rs.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtCyCyC0F0A0Fzz0ByCyCtCyB0F0FtN0D0Tzu0CtAtBtBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1059296146
FF - prefs.js: keyword.URL - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtCyCyC0F0A0Fzz0ByCyCtCyB0F0FtN0D0Tzu0CtAtBtBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1059296146&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Funmoods.com: [EMAIL="ffxtlbr&#64;funmoods.com"]ffxtlbr@funmoods.com[/EMAIL] - %profile%\extensions\ffxtlbr@funmoods.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: [EMAIL="wrc&#64;avast.com"]wrc@avast.com[/EMAIL] - c:\program files\alwil software\avast5\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtCyCyC0F0A0Fzz0ByCyCtCyB0F0FtN0D0Tzu0CtAtBtBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1059296146
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtCyCyC0F0A0Fzz0ByCyCtCyB0F0FtN0D0Tzu0CtAtBtBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1059296146
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtCyCyC0F0A0Fzz0ByCyCtCyB0F0FtN0D0Tzu0CtAtBtBtN1L2XzutBtFtBtFtDtFtAyEyE&cr=1059296146&q=
FF - user.js: extensions.funmoods.id - 00166FAF8B6617FF
FF - user.js: extensions.funmoods.instlDay - 15662
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2211:35:27
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - download
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - download
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-3 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-22 361032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-22 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-19 44808]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-8-29 266240]
R2 MSSQL$EONENERGYFIT;SQL Server (EONENERGYFIT);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-11 35144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 dump_wmimmc;dump_wmimmc;\??\d:\new briefcase\bin\gameguard\dump_wmimmc.sys --> d:\new briefcase\bin\gameguard\dump_wmimmc.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-8 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-12-11 15:55:48 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-10 18:12:06

---

d

---

w- c:\windows\system32\NtmsData
2012-12-02 09:14:23 316568 ---ha-r- c:\windows\system32\cpnprtuk.cid
2012-12-02 09:14:19 230840 ---ha-r- c:\windows\system32\cpnprt2.cid
2012-12-02 09:13:23

---

d

---

w- c:\windows\Cache
2012-12-02 09:13:15 31 ---ha-w- c:\windows\UKCpInfo.sys
2012-12-02 09:13:04

---

d

---

w- c:\program files\Coupon Printer
2012-11-18 12:01:48

---

d

---

w- c:\documents and settings\boyo\application data\Funmoods
.
==================== Find3M ====================
.
2012-10-30 22:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51:07 41224 ----a-w- c:\windows\avastSS.scr
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-19 01:33:03 76160 ----a-w- c:\windows\CouponPrinter.ocx
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-20 22:27:57 61440 ----a-w- c:\windows\system32\CleanMem.exe
.
============= FINISH: 18:40:52.14 ===============