Cannot remove fake Security Essentials

**blondie09631** · October 10th, 2010, 04:53 PM

I have tried using Malwarebytes in both safe mode and regular mode and although I have removed a of the threats, SE continues to control the computer. I was finally able to download hijackthis and run it. I could use some help cleaning this computer from this s malware!
Please be specific when telling me how to remove the nasty exe files as I am new to dealing with the windows registry. Thank you for your help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:42:21 PM, on 10/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\Odixal.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\Program Files\SecEss\SE11.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ClamWin\bin\ClamTray .exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\cbe17d\SmartEngine.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Application Data\3K70aD78.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HP_Owner\My Documents\Downloads\HijackThis.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Ok7.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Bing:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing:
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 Welcome to www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 Secure-plus-payments.com - Secure-plus-payments and Payment System
O1 - Hosts: 74.125.45.100 getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.com
O1 - Hosts: 88.198.198.201 google.com.au
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.be
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.com.br
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.ca
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.ch
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.de
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.dk
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.fr
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.ie
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.it
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.co.jp
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.nl
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.no
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.co.nz
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.pl
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.se
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.co.uk
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 google.co.za
O1 - Hosts: 88.198.198.201 Google
O1 - Hosts: 88.198.198.201 Google Analytics | Official Website
O1 - Hosts: 88.198.198.201 Bing
O1 - Hosts: 88.198.198.201 search.yahoo.com
O1 - Hosts: 88.198.198.201 Yahoo! Search - Web Search
O1 - Hosts: 88.198.198.201 uk.search.yahoo.com
O1 - Hosts: 88.198.198.201 ca.search.yahoo.com
O1 - Hosts: 88.198.198.201 de.search.yahoo.com
O1 - Hosts: 88.198.198.201 fr.search.yahoo.com
O1 - Hosts: 88.198.198.201 au.search.yahoo.com
O1 - Hosts: 88.198.198.201 YouTube - Broadcast Yourself.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [QwestTouchPointAgent] "C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe" /autostart
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe" /runcleanupscript
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [IJKUK66HMN] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Ok7.exe
O4 - HKCU\..\Run: [SE11] C:\Program Files\SecEss\SE11.exe
O4 - HKCU\..\Run: [Smart Engine] "C:\Documents and Settings\All Users\Application Data\cbe17d\SmartEngine.exe" /s /d
O4 - HKUS\S-1-5-18\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011 (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\helpers32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helpers32.dll
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.fastestdeploy.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.fastestdeploy.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1157216152265
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - downloadv3.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BE5A7132-329F-4319-B781-2A83BFE51534} - downloadv3.com
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - downloadv3.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - downloadv3.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb13.pogo.com/game/delux...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18354ABA-B5A7-449F-AFA0-A98870F01E4A}: NameServer = 93.188.164.36,93.188.160.106
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.36,93.188.160.106
O17 - HKLM\System\CS1\Services\Tcpip\..\{18354ABA-B5A7-449F-AFA0-A98870F01E4A}: NameServer = 93.188.164.36,93.188.160.106
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.36,93.188.160.106
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13151 bytes

**GroundZero3** · October 10th, 2010, 05:07 PM

Did you disable the system restore?

HijackThis Analyzer & Tutorial

copy your results in here

**blondie09631** · October 11th, 2010, 11:38 AM

When infected with the fake SE, you are not able to use task mgr (either through Start/Run/taskmgr or Ctrl/Alt/Delete), you are also not able to go to system restore, registry or change your wallpaper. You could also not delete the program from your C drive. SE looks like a Norton shield, except it is multi-colored. There is also a red circle with an X in the middle.

Once I ran Malwarebytes and removed the 18 threats, I was able to do these things and after removing the programs (they NEVER show in your Add/Remove Programs, only in your program files), I edited the registry, removing everything that I knew was part of this malware.
I restarted the computer and the malware reinfected! This time was a bit more challenging as a new program appeared....Smart Engine. The constant pop ups got so bad that I took the computer offline and ran through the steps listed above in safe mode (couldn't even run Malware in normal mode anymore). 728 threats were reported and I removed them all. I was able to get everything clean except this program (name unknown) showing in the task bar. It was the red circle with an X in the middle.

I am completely baffled at this point. The biggest proble with this malware is researching it online, there are so many name variables. You may see SE10, SE11, security essentials 2010 or security essentials 2011. The registry also has so many name variables. My last time in the resistry, I even deleted entries that looked suspicious!
Has anyone had this malware? Any ideas on how I can get rid of it altogether?