System Care Antivirus

[Nadesico]

Hello.

This crap program System Care Antivirus got installed today on my laptop. After reading this thread http://forums.spybot.info/showthread.php?t=68262 , i downloaded the 2 programs Malwarebytes & RogueKiller and ATM laptop is in safe mode in order to install & run them. Log from malwarebytes will be posted as soon as its done scanning.

[Nadesico]

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.30.02

Windows Vista Service Pack 2 x86 NTFS (Safe mode/Networking)
Internet Explorer 9.0.8112.16421
Uroš :: UROS-PC [administrator]

Protection: Enabled

30.4.2013 12:56:19
mbam-log-2013-04-30 (12-56-19).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 380045
Time elapsed: 1 Hours(s), 10 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Processes Detected: 0
(No malicious items detected)

Memory Processes Detected: 0
(No malicious items detected)

Registry Valuess Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|A04141CE3D1CCC560000A040A191D08B (Trojan.FakeAlert) -> Podatki: C:\ProgramData\A04141CE3D1CCC560000A040A191D08B\A04141CE3D1CCC560000A040A191D08B.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\ProgramData\A04141CE3D1CCC560000A040A191D08B\A04141CE3D1CCC560000A040A191D08B.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programi\Ventrilo 2.1.4.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Uroš\AppData\Local\Temp\D8B2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

[Nadesico]

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Uroš [Admin rights]
Mode : Scan -- Date : 04/30/2013 14:34:56
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : ASUS Camera ScreenSaver (C:\Windows\AsScrProlog.exe) [7] -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950032 5AS SCSI Disk Device +++++
--- User ---
[MBR] 23393005d95c1feb1e90f4406eba1821
[BSP] 68a9a69bc00139773c4fa2984750dba9 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 12001 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24579450 | Size: 238464 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 512955450 | Size: 226471 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_04302013_02d1434.txt >>
RKreport[1]_S_04302013_02d1434.txt

[tashi]

Hello Nadesico,

Please see the FAQ which includes guidelines for this forum in post #1 and instructions in post #2 on how to provide the preliminary DDS and aswMBR logs used for analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic providing only the logs requested in that sticky.

A volunteer analyst will advise when available.

Best regards.