Win32:FakeAV-CUL [Trj]

Win32:FakeAV-CUL [Trj] on Windows XP

I’m not sure if this is where I should ask this, let me know if this is the wrong spot, thankyou. I had a warning from my Avast that a "fake AV was blocked and it said to do a boot time scan for cleanup, so I did. I then tried to check for updates as my wife’s PC had some and thats when I got the ([Error number: 0x80070424] The website has encountered a problem and cannot display the page you are trying to view. I can’t get windows updates and it says I have a problem in my Security Center, also I have tried system restore and it says it “can not be restord to this date” with any of the bold dates that I’ve tried. I ran Microsoft’s Malicious Software Removal Tool full scan and it came up 0. How do I now fix my Security Center and get updates ??? thanks much for any help…dave

Which avast!..?? (Free/Pro/IS)
Which version…??
OS…?? (32/64 Bit - which SP)
Other security related software installed…??

The Rogue have done some registry changes and turned off the security center/firewall etc…

Run a quick scan with malwarebytes and attach the log…

But You man need hjelp from essexboy to turn the cecurity center back on…see his guide at the top here

Quick scan 1/13/2012 12:18:14 no virus found

Run time 0:26:18
tested files: 38568
tested folders: 7862
amount of data tested: 10.5 GB
infected files: 0

Avast Free Antivirus - Windows XP - could not copy paste from log so typed this…dave

djDave,

Avast Free Antivirus - Windows XP - could not copy paste from log so typed this...dave

Welcome to the forums.

To attach logs to the text box you are typing in, do this:

(Lower left-hand corner of text box) Click Additional Options>Notify me of replies>Attach:>Browse

Use the ANSI format for logs, and the total of all files attached must be less that 200KB. Another post following can always be used if the total files is greater than 200KB combined. Note the type of files allowed: txt, .jpg, .gif, .png, log

Any file too large to post here can be uploaded at a site such as Mediafire.com here: http://www.mediafire.com/ You will need to copy/paste the link to any such site in your post(s), or use the url link above (the one with the earth icon).

We are here to help.

EDIT:

Which avast!..?? (Free/Pro/IS) Which version..?? OS..?? (32/64 Bit - which SP) Other security related software installed..??

Re Asyn: We would like to have information about the operating system, etc., as this will greatly assist in cleaning and repairing your system. Essexboy is definitely the one to go to for fixing.

Some more info:

Avast Program version 6.0.1367
Vdversion: 120113-0
XP home edition version 2002
32 bit (I think) SP: 3

other security related software
Malwarebytes Anti-Malware
SUPERAntiSpyware Free Edition

I tried to Att. a Malwarebytes log, hope it’s here…lol

Hi we will start with farbar first so that I can customise the areas I will need to look at… And lucky you I have just set up an XP system for registry exports

run farbar service scanner

http://i1238.photobucket.com/albums/ff484/CompCav/Farbarservicesinternetticked-2.jpg

Tick “Internet services” and “Windows Firewall” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Thankyou so much for the help…

Farbar Service Scanner
Ran by Owner (administrator) on 13-01-2012 at 15:40:00
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:

Firewall Disabled Policy:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
“EnableFirewall”=DWORD:0

File Check:

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

aswTdi(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

OK the registry bits and bobs look OK

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

I only see one Log ?

Is that the fixit centre that you have on your system ? If so did you try the relevant fixits ?

Prior to this OTL run could you shutdown Mawarebytes from the taskmanager, as it will lock OTL otherwise

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found. O3 - HKU\S-1-5-21-3968576246-1507559097-480493867-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O4 - HKLM..\Run: [MISAggregator] File not found O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) [2012/01/13 12:12:38 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job [2012/01/13 14:31:02 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job [2011/05/31 06:26:20 | 000,012,984 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\3w6icfep4bc0 [2011/05/31 06:26:20 | 000,012,984 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3w6icfep4bc0

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Tes I tried a couple Fix-its and they did not help. Should I remove all that is still in the custom scan/fixes box from the last scan first ?

That should have read (Yes I tried a couple Fix-its and they did not help.)

I can’t find Mawarebytes in the taskmanager, do they call it something else ?

Yes remove that please

The processes are

mbamgui
mbamsvc

It is mbamservice.exe, see image, click to expand.

Sorry this took so long, it stopped once and I started over…scan Att below

To everyone involved: The help here is nothing but the best. It “seems” my problem is solved. I have not had time to try very many things as yet ~ but everything looks and seems to be back to normal and I have updates waiting to be installed…!! Hurray at long last. It’s been a most trying day and I am beat worrying about the entire process. Thank you so very much for your patience and persistence. After a good night’s sleep ~ I’ll give this pc a real workout and report back. Good night everyone and here’s wishing you a great week-end. Dave

p.s. Combofix log attached:

Looks much better, you had a partial install of zero access which is why some elements of your system did not work.

Run for a day or so and when you are happy let me know and I will remove my rubbish

Thankyou so much Essexboy, most things now are back close to what I was used to. We had company from out of state come and stay with us for the last 5 days and I didn’t have much time to spend on the PC. The only thing that still seems strange to me is my outlook express will not send or recieve with avast turned on, and it always worked fine before. Thanks again so much for all your help, you are a life saver here…Dave

Might be worth uninstalling and then re-installing mail shield to see if that helps

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

.
Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK
.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

.
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
.
Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: