# "Win 7 Security 2011" Fake anti-virus program



## Soupninja (Jan 20, 2010)

This morning, my mom told me to look at her computer because there was something wrong with it. After an hour or so of looking at it, this is what learned:
There's an "Anti-virus" program installed on her laptop that makes claims of fake infections and attempts to lure the user into purchasing the full version of this so-called anti-virus program.

She uses AVG Free edition as her actual anti-virus. This new program (further to be called the "infection") wont allow me to open AVG.

The infection also redirects Internet Explorer to a page that says the following:


> Internet Explorer alert. Visiting this site may pose a security threat to your system!
> ...
> Things you can do:
> Get a copy of 'Win 7 Security 2011' to safguard your PC while surfing the web (RECOMMENDED)
> ...


Upon looking into the running processes, I found something I've never seen before. An entry called "ugg.exe" and the description of which is "Gpg4win: The GNU Privacy Guard and Tools for Windows"
When this process is ended, the taskbar popups cease and any "Win 7 Security 2011" windows close. However, an attempt to run IE or AVG restarts this process and puts us back at square one.

Trying to open the file location of the "ugg.exe" file, it brings me to the AppData\Local\ folder, however, there is no such file in that location.

Also, an attempt to open msconfig returns the error "Windows cannot find 'C:\windows\system32\msconfig.exe'. Make sure you typed the name correctly, and then try again."

Any help would be greatly appreciated.

Hijackthis log


> Logfile of Trend Micro HijackThis v2.0.4
> Scan saved at 4:28:32 PM, on 3/11/2011
> Platform: Windows 7 (WinNT 6.00.3504)
> MSIE: Internet Explorer v8.00 (8.00.7600.16722)
> ...


----------



## kevinf80 (Mar 21, 2006)

Hiya Soupninja,

Do the following :-

*Step 1*

Download







TFC to your desktop, from either of the following links
*Link 1*
*Link 2*

 Make sure any open work is saved. TFC will close all open application windows.
 Double-click TFC.exe to run the program.
 If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

*Step 2*








Please download *Malwarebytes* Anti-Malware and save it to your desktop.
*Alernative D/L mirror*
*Alternative D/L mirror*

Double Click mbam-setup.exe to install the application.

 Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
 If an update is found, it will download and install the latest version.
 Once the program has loaded, select "Perform Quick Scan", then click Scan.
 The scan may take some time to finish,so please be patient.
 When the scan is complete, click OK, then Show Results to view the results.
 Make sure that everything is checked, and click Remove Selected.
 When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
 Please save the log to a location you will remember.
 The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
 Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

*Step 3*

Download







from any of the following links and save to your Desktop:

*Link 1*
*Link 2*
*Link 3*


 Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
 In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
 Under the Custom Scan box paste this in

```
netsvcs
      drivers32
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
```

 Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
 When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
 Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

What i`d like in your reply :-


 Log from Malwarebytes
 OTL Txt
 Extras Txt

Kevin


----------



## Soupninja (Jan 20, 2010)

It wont let me install Malwarebytes. When I try to run it, it just reopens the ugg.exe process.

OTL.txt


> OTL logfile created on: 3/12/2011 10:54:26 AM - Run 1
> OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lori\Desktop
> 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
> Internet Explorer (Version = 8.0.7600.16385)
> ...


Extras.txt


> OTL Extras logfile created on: 3/12/2011 10:54:26 AM - Run 1
> OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Lori\Desktop
> 64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
> Internet Explorer (Version = 8.0.7600.16385)
> ...


----------



## kevinf80 (Mar 21, 2006)

Hiya Soupninja,

Continue as follows :-

Re-Run







by double left click, Vista and Widows 7 users right click and select Run as Administrator.

Under the







box at the bottom, paste in the following


```
:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMPFC5A2B2
:Services

:Reg

:Files
ipconfig /flushdns /c
C:\Users\Lori\AppData\Local\ugg.exe
C:\Users\Lori\AppData\Local\pri.exe
C:\Users\Lori\Desktop\null0.5182665308992576.exe
C:\ProgramData\3567006381
C:\Users\Lori\AppData\Local\3567006381
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
```

Then click







button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the *Quick Scan* button. Post the log it produces in your next reply.

Try Malwarebytes again

Post the following logs :-

1. OTL Fix

2. OTL Quick scan

3. Malwarebytes

Kevin...


----------



## Soupninja (Jan 20, 2010)

Success!!

Thank you so much for all your help. I appreciate it immensely. 
My mom is gonna be thrilled


----------



## kevinf80 (Mar 21, 2006)

Very good, can I see the logs from OTL fix, OTL quick scan and Malwarebytes


----------

