Tuesday, July 14, 2009

I have the winifixer/ultimate defender/ultimate cleaner virus. Please help me get rid of this dastardly thing

Here's my hjt:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 2:27:50 PM, on 5/2/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Boot mode: Normal





Running processes:


C:\WINNT\System32\smss.exe


C:\WINNT\system32\winlogon.exe


C:\WINNT\system32\services.exe


C:\WINNT\system32\lsass.exe


C:\WINNT\system32\svchost.exe


C:\WINNT\System32\svchost.exe


C:\WINNT\system32\spoolsv.exe


C:\WINNT\system32\crypserv.exe


C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


C:\Program Files\iPass\iPassConnect\iPCAgent.exe


c:\sots\KMService.exe


C:\Program Files\Marimba\Castanet Tuner\Tuner.exe


C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


C:\Program Files\Network Associates\VirusScan\mcshield.exe


C:\Program Files\Network Associates\VirusScan\vstskmgr.exe


C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


c:\progra~1\Metlife\MediaManager\Media...


c:\MetLife\MetTask\METTASK.EXE


C:\Lotus\Notes\ntmulti.exe


C:\WINNT\system32\Prot_srv.exe


C:\WINNT\system32\pstartSr.exe


c:\winnt\system32\rcmdsvc.exe


c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe


C:\Program Files\CheckPoint\SecuRemote\bin\SR_Servi...


C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watch...


C:\WINNT\system32\svchost.exe


C:\WINNT\Explorer.EXE


C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.E...


C:\WINNT\system32\hkcmd.exe


C:\WINNT\system32\igfxpers.exe


C:\Program Files\Apoint\Apoint.exe


C:\WINNT\stsystra.exe


C:\WINNT\system32\igfxsrvc.exe


C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe


C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe


C:\Program Files\Apoint\Apntex.exe


C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE


C:\Program Files\Apoint\HidFind.exe


C:\sots\detectVPN.exe


C:\Program Files\Pinpoint Global\Media Room\MediaRoomClientApp.exe


C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch...


C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe


C:\Program Files\METLIFE\LSMS3\lsms3.exe


C:\Program Files\Common Files\Real\Update_OB\realsched.exe


C:\Program Files\Websense\WDC\WsUIMgr.exe


C:\WINNT\system32\rundll32.exe


C:\Program Files\QuickTime\qttask.exe


C:\WINNT\system32\ctfmon.exe


C:\Program Files\Google\Google Updater\GoogleUpdater.exe


C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe


C:\Program Files\iPass\iPassConnect\downloader\ipcc...


C:\Program Files\Marimba\Castanet Tuner\lib\minituner.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe





R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://imetlife.metlife.com/sitemindera...


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://exwintp019.metlife.com/login.asp


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metropolitan Life


R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCA...


O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCA...


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper...


O2 - BHO: 146955 helper - {85F74211-7C2B-4CB8-B80D-4DE1AC85B685} - (no file)


O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1...


O3 - Toolbar: %26amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe


O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe


O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe


O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe


O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe


O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"


O4 - HKLM\..\Run: [SET_PLAYER] regedit /s c:\systemp\mp3\mp3assoc.reg


O4 - HKLM\..\Run: [RoamingUser] "C:\Program Files\Marimba\Castanet Tuner\tuner.exe" -start http://as_risccast00:5282/ENT/Castanet/R... 1


O4 - HKLM\..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe /StartedFromRunKey


O4 - HKLM\..\Run: [ShStatEXE] C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE /STANDALONE


O4 - HKLM\..\Run: [DetectVPN] c:\sots\detectVPN.exe


O4 - HKLM\..\Run: [LSMS3] C:\Program Files\MetLife\LSMS3\LSMS.BAT


O4 - HKLM\..\Run: [LSMS] C:\Program Files\MetLife\LSMS3\OldLSM.BAT


O4 - HKLM\..\Run: [MediaRoomApp] C:\Program Files\Pinpoint Global\Media Room\MediaRoomClientApp.exe


O4 - HKLM\..\Run: [AWMON] C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.e... /custom +prefs:"C:\PROGRA~1\Lavasoft\AD-AWA~1\aw...


O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe


O4 - HKLM\..\Run: [sp2cfg] C:\WINNT\system32\mrmbtemp\xpsp2\wkix32.... C:\WINNT\system32\mrmbtemp\xpsp2\popup.k... /i


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


O4 - HKLM\..\Run: [WsUiMgr] C:\Program Files\Websense\WDC\WsUIMgr.exe


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe


O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\Googl...


O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon....


O4 - Global Startup: ADAWARE.LNK = C:\WINNT\runonce.bat


O4 - Global Startup: CENSUSNT.LNK = C:\METLIFE\dlm\censusnt.bat


O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe


O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


O4 - Global Startup: NTCONECT.LNK = C:\Security\NtConect.exe


O4 - Global Startup: systray.exe


O6 - HKCU\Software\Policies\Microsoft\Interne... Explorer\Restrictions present


O8 - Extra context menu item: %26amp;Search - http://edits.mywebsearch.com/toolbaredit...


O8 - Extra context menu item: E%26amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCE...


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O14 - IERESET.INF: START_PAGE_URL=http://exwintp019.metlife...


O16 - DPF: {10B05D6E-5BFB-11D4-8920-00C04F57BB26} (KMReader Class) - https://imetlife.metlife.com/sitemindera...


O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache...


O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUp...


O17 - HKLM\System\CCS\Services\Tcpip\Parameter... Domain = metlife.com


O17 - HKLM\Software\..\Telephony: DomainName = metlife.com


O17 - HKLM\System\CS1\Services\Tcpip\Parameter... Domain = metlife.com


O17 - HKLM\System\CS2\Services\Tcpip\Parameter... Domain = metlife.com


O17 - HKLM\System\CS3\Services\Tcpip\Parameter... Domain = metlife.com


O18 - Protocol hijack: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5021}


O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\program files\symantec\pcanywhere\awhost32.exe


O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINNT\SYSTEM32\crypserv.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEng...


O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe


O23 - Service: KMService - Unknown owner - c:\sots\KMService.exe


O23 - Service: Marimba - BMC Software, Inc. - C:\Program Files\Marimba\Castanet Tuner\Tuner.exe


O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe


O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe


O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe


O23 - Service: MediaManager - Unknown owner - c:\progra~1\Metlife\MediaManager\MediaMa...


O23 - Service: MetLife® Task List (MetLifeTaskList) - MetLife® - c:\MetLife\MetTask\METTASK.EXE


O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe


O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\Prot_srv.exe


O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINNT\system32\pstartSr.exe


O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Servi...


O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watch...


O23 - Service: Websense Desktop Client (WebsenseDesktopClient) - Websense - C:\Program Files\Websense\WDC\WDC.exe





--


End of file - 10551 bytes

I have the winifixer/ultimate defender/ultimate cleaner virus. Please help me get rid of this dastardly thing
Click start%26gt;click run type in msconfig and then press enter. Goto the start up tab and uncheck everything except your anti virus,click ok and reboot.





1. Download and run firefox to protect your from future spyware attacks and pop ups which are coming in through Internet Explorer IE!! (Trojan downloaders, win32 ).


http://securitynewsfromthenet.blogspot.c...





2. Run the vundo and combo fix http://securitynewsfromthenet.blogspot.c...





3. Run Malwarebytes Anti-Malware


http://securitynewsfromthenet.blogspot.c...





4. Run the anti spyware remove programs spybot http://securitynewsfromthenet.blogspot.c... and superantispyware http://securitynewsfromthenet.blogspot.c... to get rid of the nasties





5. Run a complete scan with free curing utility Dr.Web CureIt!


http://www.freedrweb.com/
Reply:Google the exact name of the virus as reported by your Av program for tips and tools to clean this out.
Reply:Your computer likely has a Vundo infection. Follow the link below to remove.





"The Vundo family of Trojans is one of the most common infections we find on user’s PC’s. The infection can cause popups which usually advertise rogue antispyware programs. Some common rogue antispyware programs that are advertised are WinFixer, SysProtect and Winantispyware for example. Users are normally targeted by false positives, and warning of infection – an example of this could be popups alerting users they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. Thankfully, the infection is relatively easy to remove, and a specialised tool has been created to remove the vundo trojan from infected computers. The following guide will explain how to use the tool, and hopefully rid your system of this malware."


http://www.bleepingcomputer.com/forums/t...





How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo.:


http://www.bleepingcomputer.com/forums/t...


______________________





A good, automated, do-it-your-self, HijackThis analyzer is available.





"This system has been designed to help you quickly find information about everything contained in your HJT logs. We tap the greatest information databases we've been able to find to help you figure out which items in your log are OK and which ones are bad! Any information we have on the items will be displayed when you run your mouse over that line. Wherever possible you will be linked to a specific thread for help on that item."





Free at:


http://hjt.networktechs.com/





Good luck.


No comments:

Post a Comment