Desktop Security 2010 (virus/trojan/malware)

Man, i was hoping i wouldn't have to come back here but this is something i couldn't pull out on my own. I'm having a problem with some virus-y thing called "Desktop Security 2010". I think i got it by clicking on an ad by mistake (didn't notice it was an ad space that is still loading, i only wanted to bring the back page onto front )

Before we go on, i saw 4 topics that sound similar to my situation:
- Internet security 2010 malware by Pleggett
- Internet Security 2010 virus and other strange problems with my PC by Darkzephyr
- Desktop Defender 2010 and other Problems by Ciraxis117
- Internet Security 2010. is it a virus? by Happycmpr46

Would going by one of them step by step fix my problem? (Just confirming) If not,

Here is my problem:

I was browsing, had 2-3 pages on top of each other. I wanted to see if the 3rd page loaded fully yet so i go click on its side. Little did i know it was an ad that opens another page to fire the virus-y thing. All of a sudden, i have this fake virus scan loaded and scanning. I stopped it and tried to get rid of it by normal means: Cut internet, McAfee Full scan then Ad-aware scan. It did not work, i still see all kinds of fake "warning: you're being hacked" messages pop up. I went ahead and the "The read me" page. It helped a little. Now i can AT LEAST delete the files for this thing from "Program files", kill process it from taskmanager and remove it from "Add/remove". It would stop all the spams from popping. However, when i reboot, the problem is still there with the fake warnings. i could not files for it to delete.



Here are the logs requested

 

Right now, i've cut internet off my pc (so no stored passwords get sent over ;>.>) and keeping it untouched. Am i being too paranoid by doing that? can the problem get worse if i leave the pc connected to net?

Below is the last log. Spent half a day doing this procedure, i hope i didn't miss anything!

 

It's always best to not follow other threads. Every computer is set up different so the advice for one user may damage another users system.


Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
• O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
• O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
• O4 - HKLM\..\Run: [SecurityCenter] C:\WINDOWS\system32\qgtto5vww78w.exe
• O4 - HKLM\..\Run: [qgtto5vww78w] C:\WINDOWS\system32\qgtto5vww78w.exe
• O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User \'SYSTEM\')
• O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User \'Default user\')
• O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

After clicking Fix checked, exit HijackThis.



Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"VistaDrive"=-
"SecurityCenter"=-
"qgtto5vww78w"=-

:files
C:\WINDOWS\VistaDrive\VistaDrive.exe
c:\windows\system32\qgtto5vww78w.exe
c:\windows\system32\lqgtto5qww7oc.exe
C:\WINDOWS\VistaDrive

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.




Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.



Next post please add:

• OTM log
• Panda Scan log

Also run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.

 

Thankies. There you go.

 

You have a lot of files on your desktop. This isn't a good idea as malware can easily exploit them. It's best to keep things in folders in your documents or wherever they might need to go.



Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code:

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.



Have you been adjusting your services? There are a few that do not look like they should.

 

Success "merged" message showed

and

No, i don't think i played with any service. Not while realizing it at least lol

 

Let me know if anything was found/fixed by this next procedure.

Do you have an XP CD? (if not then run it anyway)

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.



After running scf /scannow run this.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
• Check the box in section 2, Fix Windows Installer.
• Check the box in section 3, Fix Windows Update.
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in section 5, labeled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.