[Resolved] Fake Windows XP Defender?

  • 18 Replies

Offline K27

  • Malware Removal Staff
  • Gold Member
  • 2342
    • Go Good IT Solutions
Re: [In Progress] Fake Windows XP Defender?
« Reply #15 on: April 03, 2010, 12:29:28 PM »

You are nearly good to go, but before you do we have some housekeeping to do, I will also post some general prevention advice for keeping a clean machine.

The first thing we will do is to kill some of your start up entries, we will use HJT for this task, I have listed every thing that does not need to start when your system starts,

Open HJT and choose "Do System Scan Only"

Place a check mark next to these optional fixes, none of this list are malware related they are just un-needed startup entries, next to each entry in blue I have given a brief description of what they are related to, I must stress that killing the startup entries of these programs will NOT in any way affect any of the programs they are related to,
each and every program will work just as it should when started manually, all we are doing here is stopping them from starting when you boot the machine.
If there is any thing in the below list that you would like to start when the machine starts then just don't put a check in its box.

After checking the box's you would like to disable, please reboot your machine.

Un-Needed Start up items:

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE <--- Related to Logitech web cam, caqn be started manually

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe <--- Logitech "Image Studio" installed with Web Cam, not needed on start up

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe <--- If you use Logifect "Image Studio" keep this, if not it can go

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start <--- InstallShield update scheduler, remember to check for updates if you disable this

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup <--- Install updates that above finds, remember to check for update if you disable this

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" <--- not needed, Allows you to play DVD's without pressing play,

O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe <--- up to you, taskbar icon for repairing connection problems with Bell Canada broadband.
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe <--- up to you, control panel for ATI video card

O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background <--- Not needed, for blackberry auto update

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" <--- up to you, checks for Java updates, remember to check for updates manually

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <--- Not needed, starts Apples Quick Time Player

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" <--- Not needed, but may restart itself after running iTunes a few times
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" <--- not needed, controls Roxio on/off feature for watched/not watched films

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe <--- HP software updater, remember to update manually

O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler <--- InstallShield update scheduler, update manually

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background <--- MSN Sign in assistant, turn of via start> Programs > MS messenger > tools > Options > preferences > uncheck "Run this when windows starts"

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') <--- As Above

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user') <--- As Above

O4 - Startup: GM_DevUpdate.lnk = C:\Program Files\USB JOYSTICK\GM_DevUpdate.exe <--- updates your usb joystick, can be done manually

O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe <--- Event planner Task bar icon

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe <--- HP digital imaging monitor; can be launched manually

O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe <--- Related to your HP printer, will still work exactly the same after killing this startup

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe <--- Not needed, shows special offers from Logitech

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <--- Related to MS Office, can be killed

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe <--- Image management for Nikon Camera's

Next, lets get some house keeping done.

Please uninstall the programs we used as without proper guidance they can seriously harm the workings of Windows and your PC
  • HiJackThis via Add/Remove Programs in control Panel
  • DDS and the two(2) logs you saved from it by right clicking there Desktop icons and clicking delete
  • Please navigate to and delete the file C:\regback.reg Just right click the file and then click delete (DO NOT DOUBLE CLICK THE FILE, YOU WILL REINFECT YOUR SYSTEM)

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Adobe Acrobat/Reader is out of date please update to the latest version from HERE

Now some advice on how to surf safe in the future.

ALWAYS keep all programs on your PC up to date and this especially means your Anti-Virus/Anti-Spyware/Firewall/Java and Adobe programs.
They can all be found via the "All Programs" feature in the start menu and if opened will 100% have a update feature somewhere.
NEVER use more than ONE Anti-Virus,
NEVER use more than ONE Anti-Spyware,
NEVER use more than ONE Software Firewall,(and never use the Windows built in Firewall as it will not keep you protected)

As more than one off each of these will conflict with each other and leave you just as vulnerable as not having them.
You can get some VERY GOOD FREE ones from  HERE

Its always a good idea to back these up with SpywareBlaster as this will run in the background and not conflict with any of your other Security.

Also give WinPatrol a try as it is a very good program that will inform you of any changes being made to your system in the same way that User Account Control does but better, (DO NOT switch off UAC if you install WinPatrol, it is still very much needed)

Research and consider using a HARDWARE Firewall as this will provide a very good extra layer of protection.

Scan with each piece of your security Daily and at the very least two daily.
Always keep a few on-demand scanners on your machine and use them every other day, such as,

If you use IE then consider using a more secure browser such as FireFox or Opera

Install all the latest Windows updates from HERE
or by clicking start>all programs>Windows update, and keep going back and doing these until you have all the available updates until none are showing.
Its a good idea to set Windows Update to automatic so as not to miss any Important updates.

Always you a site advisor such as WOT to confirm the sites you are using are really the sites they say they are.
There is a version of WOT available for both IE and FireFox.

And please read:    
So how did I get infected in the first place? by Tony Klein as this has some very useful information on how to surf safe in the future from HERE

If you have any other questions then please fill free to post back,
I will mark this thread as solved tomorrow,

Safe Surfing,
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil


Offline adf1962

  • Bronze Member
  • 67
Re: [In Progress] Fake Windows XP Defender?
« Reply #16 on: April 03, 2010, 11:47:34 PM »
Thanks K27.

The system has gotten a good cleaning and it looks like things are in good order.  It's running a bit better on start-up but could still use some tweaking.

I will definitely employ some of the strategies you suggested. 

You and your team have come through again.  Much appreciated.



Offline K27

  • Malware Removal Staff
  • Gold Member
  • 2342
    • Go Good IT Solutions
Re: [In Progress] Fake Windows XP Defender?
« Reply #17 on: April 03, 2010, 11:56:25 PM »
Your Welcome.
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil


Offline K27

  • Malware Removal Staff
  • Gold Member
  • 2342
    • Go Good IT Solutions
Re: [DONE] Fake Windows XP Defender?
« Reply #18 on: April 05, 2010, 01:22:44 AM »
If you are the originator of this Topic and would like it reopened please send Me a Moderator or Admin a personal message and we will move it back.

The fixes in this topic were written specifically for this user, following may cause harm to your machine and render it a brick (useless), Any one else needing help please go to this board http://spywarehammer.com/simplemachinesforum/index.php?board=10.0 and read all the pinned topic's and please follow the instructions in this topic http://spywarehammer.com/simplemachinesforum/index.php?topic=88.0
« Last Edit: April 05, 2010, 01:27:28 AM by K27 »
SpywareHammer - Knowledgebase

The internet is the new age battle of the old age clash between good and evil