Fake Windows Security Popups and Many Other Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dave85, Jun 29, 2008.

  1. dave85

    dave85 Private E-2

    So my son was using my laptop a little while ago when all of a sudden he told me that the computer was acting wacky. He wasn't kidding. I'm not sure what it is exactly that he did (I think he went to a site he wasn't supposed to), but here's a list of my problems:

    - fake windows security popus
    - random pop ups in taskbar (yellow balloons) warning about spyware that was found, or a slow PC, etc.
    - task manager is disabled
    - system is extremely slow - I often have to restart because it goes so long without doing anything

    This happened a few weeks ago, but I didn't have time to do anything about it. Now I need my laptop working again, so it's time to try to fix it. I don't know too much about computers beyond the basics so I thought I'd come to the helpful folks here.

    Now, I tried running HijackThis on my system, but it wouldn't run. The only way I could get it to run was to run the system in safe mode - only then does HijackThis actually work. When I am in safe mode, I still get the popups and the taskbar balloons, but the system is no longer slow and I can run HijackThis. Just as an fyi, the computer has been disconnected from the internet ever since these problems starting appearing (I figured that would be the smart thing to do).

    So here is the HijackThis log that I got while the computer was in safe mode. Is this good enough? Do I need a log from when the computer is in normal mode? What should I do next? And should I continue operating in safe mode? Thanks a lot guys - I really appreciate it!!!
     

    Attached Files:

    Last edited by a moderator: Jun 29, 2008
  2. abri

    abri MajorGeek

    Hi dave85,
    Welcome to MajorGeeks!

    Please follow the instructions in the READ & RUN ME FIRST and use the Manage Attachments button down below the reply window here to attach the requested logs. There will be 4 of them and you can only attach a max of 3 per post, so you'll need to post twice.

    Thanks.
    abri
     
  3. dave85

    dave85 Private E-2

    Update -

    So I tried to go in and install and run SUPERAntiSpyware and ComboFix and SpyBot and all those other initial things that I am supposed to do... except that my system won't allow me to run any applications now. I can't even open My Computer (or any other folder for that matter) to even access the installers or .exe's let alone actually run them to post a log.

    I am running it in normal mode now. Should I just switch over to safe mode and do everything from there? Will that still allow me to fix my problems? This is extremely frustrating that all I get when I turn on my computer is my desktop and that's it - I can't run any programs and I can't open any folders. Any ideas?
     
  4. dave85

    dave85 Private E-2

  5. abri

    abri MajorGeek

    Hi dave85,

    I think you're right that you have some things in common with that other thread. Can you run HijackThis? Can you open Windows Explorer? I will give you several things to try. If you can't do something, go on to the next step.

    I would like for you to do the following instructions with your security software disabled. You have too many on your computer, which I'll get to later, but for the time-being, please copy these instructions so you will have them and then disconnect from the internet (physically) and then disable any security software you have running (antivirus, firewall, antispyware).

    In either normal mode or safe mode, see if you can get HijackThis to run. You may have to rename it. If so, please rename it to HijackThisTM.exe

    If you can get it to run, have it do a system scan. Then put a checkmark in the box next to the following and close any open browser windows. Then click on fix.

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
    O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
    O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
    O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
    O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
    O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
    O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
    O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
    O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
    O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
    O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
    O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
    O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
    O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
    O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
    O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
    O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
    O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
    O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
    O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
    O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
    O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
    O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
    O4 - HKCU\..\Run: [Tve] "C:\Program Files\F?nts\w?wexec.exe"

    When you finish the above (or not) just close the program.

    Whether you were able to do the above or not, please do the following:

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

    Let me know if you got a success message for the above REGEDIT4?


    Next see if you can delete this file in Windows Explorer: (it may not be possible)

    C:\WINDOWS\system32\iftuyszv.exe


    Are you using Sygate firewall? AVG Security Suite? Norton Security Suite? BitDefender Security?

    You need one firewall and one antivirus. Please decide which of the above programs you want to work with and re-enable it. Then reconnect to the internet and uninstall the rest (if you can). There are specific means for uninstalling the different programs. Please look at the instructions below and see which you want to use.


    The following will uninstall all of your Symantec software, so it is important that you want to uninstall all of it. It will uninstall ghost, system works, as well as the security software.

    Removing Files from Norton Antivirus Quarantine

    Norton Removal Tool (SymNRT)


    If you want to uninstall AVG 8.0, use the following instructions:


    There are two possible ways to uninstall AVG 8.0 Free Edition:
    1. Click on Start > All Programs > AVG 8.0 > Uninstall AVG

    2. If you experience any problems with the uninstallation procedure, please follow these steps:


    • Download the latest installation file of AVG from the Download section of our website
    • After downloading, run this file and choose the Uninstall Product option in the dialogue Select Setup Type
    • Finish the uninstallation process and restart your computer.



    BitDefender and Sygate will have to be removed as well if you won't be using them.

    Let me know what of the above you are able to do?

    abri
     
  6. dave85

    dave85 Private E-2

    abri,

    Sorry I've been unresponsive. I've been very busy with work recently and haven't had time to look at this. Since I'm getting to a stage where I really need my laptop to work, I'm going to start responding much quicker and working much harder towards resolving this situation.

    Anyway, here is the results to your last post:

    1) You asked if I could run HijackThis or if I could open Windows Explorer. The answer is I can only do those things in safe mode, not normal mode.

    2) You asked me to disable my security software. Since I am running my machine in safe mode, all that extraneous software is disabled from the getgo (I believe).

    3) You told me to disconnect from the internet. Not a problem - just so you know, the moment I started having these issues and getting these weird popups and messages and all, I disconnected the ethernet wire from my laptop and have not connected it since. Basically, it's been about a month since my laptop has been connected to the internet.

    4) You asked me to run HijackThis - I did, in safe mode (the only way I could). I did a system scan and had it fix those 27 entries that you told me to fix (ie. by putting a checkmark next to the box and clicking fix).

    5) I did get a successful message for the REGEDIT4 procedure.

    6) I was unable to delete C:\WINDOWS\system32\iftuyszv.exe

    7) About all my security software... before starting this thread, I tried fixing the problem on my own by following other threads started by people who were experiencing similar problems as me. I ended up downloading and installing all these applications in an attempt to fix the problem. Guess that wasn't the way to go. Anyway, I was unable to uninstall BitDefender for some reason, but I was able to uninstall AVG. So I'm left with Norton, BitDefender and Sygate. Which should I get rid of? Does it matter?

    Should I restart my computer at this time, now that I've uninstalled AVG, or should I wait until I uninstall one of Norton/BitDefender/Sygate before restarting?

    If you don't mind, in your next post, I would greatly appreciate it if you could advise me about my question regarding my security software, and then also provide me with the next steps in the process. I am assuming that uninstalling some security app has little to do with how to next procede with my problems, so if you could give me both at once, that would be great. It would just make everything quicker. Thanks a lot - I sincerely appreciate all your help.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have installed multiple antivirus programs on your computer it would be best if you now uninstall all of them! It is very bad idea to ever install more than one at anytime. It may be easier for us to temporarily work without one installed for a short time. Just keep your Sygate firewall installed as long as it is the only software firewall that you have installed.

    From safe boot mode, please try to follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

    READ & RUN ME FIRST. Malware Removal Guide
     
  8. dave85

    dave85 Private E-2

    About removing all my security software - I was unable to remove any of them. I got a message saying that I couldn't remove them while in safe mode, so they all ended up staying on my system.

    I followed the malware removal guide and ran everything from safe mode. I was unable to install SUPERAntiSpyware, so I have no log from that. Also, while I was able to install SpyBot, I was unable to run it. (It wouldn't run unless I updated it, and I couldn't update it since I could not connect to the internet. On a side note, it's not that I couldn't connect to the internet, it's that I didn't even try to connect to the internet. It's a long story, but it has to do with where my laptop is now). Those are the only things that I had any sort of trouble with.

    With that said, I've attached the remaining logs. Also, a bit of good news, I got my task manager back.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay a load of malware was removed already.

    Can you boot into normal mode now?

    If so, uninstall ALL but one of the below:
    • AVG 8.0
    • BitDefender Total Security 2008
    • Norton AntiVirus 2005
    Also uninstall Viewpoint Media Player as requested in step 1 of the READ & RUN ME.

    Also see if you can now install and run SUPERAntiSpyware and attach a log.

    Also update Spybot - Search & Destroy and run it.

    Let me know the results.
     
  10. dave85

    dave85 Private E-2

    I can boot into normal mode, but I can't carry out any processes. For example, it takes 10 minutes just get the Control Panel to open so I can access add/remove programs. Trying to run any task or program or even up a folder is impossible.

    I was able to uninstall AVG, but still not BitDefender or Norton.

    I was able to uninstall Viewpoint Media Player.

    I still cannot install SUPERAntiSpyware.

    I could not update Spybot either.

    The good news is that the popups, the fake windows security center messages, and the yellow warning balloons from the taskbar no longer show up. Other than the clock in the taskbar being on 24 hour time (it was like this before I did anything to try to fix the system) and the fact that I can't run any programs or open any folders in normal mode, it seems good.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Alot of this slow down may just be due to the three antivirus programs and multiple firewalls being installed.

    See if you can uninstall Sygate firewall too since Bitdefender also has a firewall and they are bumping heads.

    Also see if you can run the below. If you can run it, then after the first run, reboot your PC and then run it one more time and reboot again.

    Norton Removal Tool (SymNRT)


    After trying to do the things mentioned above, continue with the below even if it has to be done in safe boot mode.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O4 - HKCU\..\Run: [Tve] "C:\Program Files\F?nts\w?wexec.exe"
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
    O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
    O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Unknown owner - C:\WINDOWS\system32\WebUpdateSvc4.exe (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jul 23, 2008
  12. dave85

    dave85 Private E-2

    Ok, here we go:

    1) I ran Norton Removal Tool. It removed NAV. Could not uninstall BitDefender or Sygate.

    2) Ran Disable/Remove Windows Messenger. Went fine.

    3) Did everything you told me to with HijackThis. Went fine.

    4) Did the whole script and ComboFix thing. Went fine.

    5) Added those lines to the registry. Got a success message.

    After doing those things, I rebooted into normal mode and voila - my computer was up and running. I was able to open and run programs, the computer wasn't slow, I was able to navigate the internet just fine, etc.

    Only two things were off: the system clock (it was still in 24 hour time) and Internet Explorer. I figured out how to fix the system clock (I never realized you could adjust it via the Control Panel).

    With Internet Explorer, basically, it just doesn't work. At first, I'd open IE, and then within a second of an IE window opening, it would just close by itself. That doesn't happen anymore. Instead, when I open an IE window now, the page simply doesn't load, even though I am able to use the internet on Firefox or Opera just fine. So far, this seems to be the only lingering issue, but even this is not a huge deal. That I can't use IE may even be a good thing - it's certainly less secure than those other two browsers and I know my son was using IE when the computer initially got infected.

    Once I was able to work in normal mode again, I uninstalled BitDefender and Sygate (I also adjusted some things in msconfig to make the startup quicker). What antivirus and spyware programs do you recommend I install? In other words, which are the best ones? I now know to only install one of each, and I was wondering if you had any recommendations.

    As for the problem with IE, perhaps uninstalling it and then installing the latest version of IE will fix the problem? What do you think?

    I've attached the two logs you asked for. Thank you SOOOOO much for your help - I sincerely and greatly appreciate it.
     

    Attached Files:

    Last edited: Jul 28, 2008
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now you need to undo whatever you did with MSconfig. You must not use MSconfig like this as stated in step 1 of the READ & RUN ME:
    So undo whatever you did and attach a new MGlogs.zip file (obtained from Normal Boot mode) so I can see what your real status is.

    Everything we recommend is in another sticky thread: How to Protect yourself from malware!


    There is no clear cut best choice. Some tools work better on some PCs than on others. Also some uses may just find certain tools easier to use than others so it can be a personal taste issue. Before you go installing anything else, I want to check the new MGlogs.zip file that was requested to make sure there are no left overs to be cleaned up. Based on your last logs, there may be more to remove first.

    Not a topic for this forum and IE really cannot be truly uninstalled.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds