Want rid of MALWARE and other Fake anti virus ..

[pskelley]

We have a few isues and at this point I am not sure if it is because you are missing stuff. I would appreciate it if you would follow the directions very carefully, if there is something you can not complete, make me aware of it. I asked this:

How is the computer running now?

Please try to descripe any symptoms of malware, add any comments you think will help. I am not in front of the computer, you are.

1) C:\Windows\System32\cpofilwr.exe <<< I need information about this file, make sure you can all files and folders a visiable for Vista:
http://www.xtra.co.nz/help/0,,4155-1...,00.html#vista
Upload that file to: http://virusscan.jotti.org/ and post the results. Here are two other scans if jotti is busy.
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

2) O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com <<< did you put this item in the Hosts file?

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Windows\system32\lcpmvono.exe <<< delete that file

4) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Post that uninstall list and a new HJT log and the information from the file scan.

Please tell me how the computer is running now.

Thanks

[ultragravity]

Hi.. Sorry about earlier... The computer is running good.. but whn i go to Control Panel > Security centre > There only used to be FIREWALL, AUTOMATIC UPDATING AND OTHER SECURITY SETTINGS. But since i got attacked by VIRUS there is another option there as MALWARE PROTECTION.

I went online to scan the file you told me to do ..

Service load: 0% 100%

File: cpofilwr.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6db7e6bd9f52feb5ce66c58e8fedb86d
Packers detected: -


---------------------------------

2) O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com <<< did you put this item in the Hosts file?

I DINT UNDERSTAND THIS... CAN YOU ECPLAIN HOW TO PUT THT IN HOST FILE.. COZ I CAN SEE THAT IN HIJACL THIS WHN I DO SYSTEM SCAN ONLY..

---

I shut everything and opened HIJACK THIS but i didnt found the following there

O4 - HKCU\..\Run: [smartchkwin] C:\Windows\system32\lcpmvono.exe
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -



------

IN C:/Windows/System32 there is no such file lcpmvono.exe


-------

The following is the Uninstall List Frm HIJACk this.

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Shockwave Player
AppCore
ATK Hotkey
Backup
BitLord 1.1
ccCommon
Compatibility Pack for the 2007 Office system
Creator 9
DivX Converter
DivX Web Player
Firefox
Flash Player 9 Internet Explorer
Football Manager 2008
GearDrvs
HDReg
HiChatter Messenger
HijackThis 2.0.2
Java(TM) 6 Update 7
K-Lite Mega Codec Pack 4.1.7
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft LifeCam
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 9 SE
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Multimedia Combo Set Driver
Nokia Connectivity Cable Driver
Nokia PC Suite
Norton 360
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 2007
Norton 360 HTMLHelp
Norton Confidential Core
OpenOffice.org Installer 1.0
PaltalkScene
PlayFLV
RealPlayer
Realtek High Definition Audio Driver
Roxio Creator 9 LE
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Shockwave player 10
SiS VGA Utilities
Skype 3.2.2.163
SPBBC 32bit
Spybot - Search & Destroy
SuperMegaSpoof 2.0
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Synaptics Pointing Device Driver
System Requirements Lab
TSP_CODEC
Update for Office 2007 (KB946691)
VideoLAN VLC media player 0.8.6d
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger


---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14:17, on 18/09/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6111 bytes


--------------------------------------

The computer running is arrite...

[pskelley]

but whn i go to Control Panel > Security centre > There only used to be FIREWALL, AUTOMATIC UPDATING AND OTHER SECURITY SETTINGS. But since i got attacked by VIRUS there is another option there as MALWARE PROTECTION.

I am sorry but I have no idea what you are saying to me here? you will need to explain so I can understand.

File: cpofilwr.exe
Status: INFECTED/MALWARE
This item is malware, delete that file.
C:\Windows\System32\cpofilwr.exe <<< there

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
Is this your computer? And you don't know what is in your Hosts file?
http://www.mvps.org/winhelp2002/hosts.htm <<< see this

Uninstall List:

Adobe Reader 8
Adobe Reader 8.1.2
These are our of date and hackers exploit that to infect you. Dowload the newest version:
Adobe Reader 9.0
http://www.filehippo.com/download_adobe_reader/
uninstall old versions

BitLord 1.1 <<< see our policy in the link:
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

uninstall all p2p programs on the computer

If you have no problems with those instructions, then remove combofix from the computer:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.



Update Symantec and scan your system, if you have problems with Symantec, contact tech support for instruction:
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close your topic.

Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/win...9156A1033.mspx

All information will not apply to Vista:

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/m...oes/Links.html

[ultragravity]

Hi I did read that guide but I cant understand where is the host file .. I deleated C:\Windows\System32\cpofilwr.exe .. .. I read the guide but styll i am not sure wht to do with host file.

[pskelley]

read the guide but styll i am not sure wht to do with host file.

Nothing, you can look at the Hosts file like this:
To view the Hosts file:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS

Since you seemed to not know what it was, I posted that information so you could learn: Information about that item:
http://www.google.com/search?hl=en&q...earch&aq=f&oq=

[ultragravity]

okay thanks i got it but i cant see O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com in the host file.. What shall i do next ?

[pskelley]

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com

Close all programs but HJT and all browser windows, then click on "Fix Checked"