Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: PLEASE HELP Winantivirus Pop-ups

Original Message
Name: nice2be1
Date: August 31, 2007 at 17:03:59 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
OS: XP
CPU/Ram: SP2/64
Comment:
I'm getting pop-ups from WinAntivirus and other pop-ups. The other ones consist of "your computer is running slow...etc" and there are some random ones like expedia and cashdirect or something like that. Can anyone help me out.
Thanks :)


Report Offensive Message For Removal

Response Number 1
Name: jabuck
Date: August 31, 2007 at 19:57:28 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report Offensive Follow Up For Removal

Response Number 2
Name: nice2be1
Date: September 1, 2007 at 04:02:25 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:08 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wze441\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel....
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\armvpynl.dll",forkonce
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm565KDUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8174 bytes


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: September 1, 2007 at 05:53:13 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip Do not use this tool yet we will need it later.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces and a new Hijack This log..


Report Offensive Follow Up For Removal

Response Number 4
Name: nice2be1
Date: September 1, 2007 at 07:00:14 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
ComboFix 07-08-30.3 - "Owner" 2007-09-01 9:48:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\install.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\armvpynl.dll
C:\WINDOWS\system32\clodcssj.exe
C:\WINDOWS\system32\hggfghg.dll
C:\WINDOWS\system32\hgggday.dll
C:\WINDOWS\system32\iltjwneu.dll
C:\WINDOWS\system32\lnypvmra.ini
C:\WINDOWS\system32\nsw57.dll
C:\WINDOWS\system32\nsw60.dll
C:\WINDOWS\system32\nsx8E.dll
C:\WINDOWS\system32\orqss.bak1
C:\WINDOWS\system32\orqss.bak2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\pwmwxquu.exe
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\tfyqsnjf.dll
C:\WINDOWS\system32\tmjqpvnd.dll
C:\WINDOWS\system32\uenwjtli.ini
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-09-01 09:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 17:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-30 13:05 95,232 --a------ C:\WINDOWS\system32\drvnod.dll
2007-08-30 13:05 15,360 --a------ C:\WINDOWS\system32\drvnodr.dll
2007-08-30 07:44 <DIR> d-------- C:\!KillBox
2007-08-29 08:05 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-29 07:02 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-29 06:58 <DIR> d-------- C:\DOCUME~1\Owner\.housecall6.6
2007-08-28 06:44 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdwareAlert
2007-08-28 06:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-27 15:46 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-27 15:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-27 14:28 1,601,769 --ahs---- C:\WINDOWS\system32\onnmp.bak2
2007-08-27 06:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-27 06:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-08-27 06:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-27 06:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-26 18:01 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-26 10:06 6,513 --ahs---- C:\WINDOWS\system32\onnmp.bak1
2007-08-26 09:57 <DIR> d-------- C:\VundoFix Backups
2007-08-25 02:12 <DIR> d-------- C:\Program Files\a-squared Free
2007-08-25 02:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\McAfee
2007-08-24 04:17 90,112 --a------ C:\WINDOWS\system32\mcrtl32.dll
2007-08-24 04:17 32,768 --a------ C:\WINDOWS\system32\instlsp.exe
2007-08-24 04:17 131,072 --a------ C:\WINDOWS\system32\mclsp.dll
2007-08-24 04:17 11,264 --a------ C:\WINDOWS\system32\sporder.dll
2007-08-24 04:17 <DIR> d-------- C:\WINDOWS\system32\mclsphlr
2007-08-24 03:52 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2007-08-24 03:39 93,184 --a------ C:\WINDOWS\system32\drvpuw.dll
2007-08-24 03:39 15,360 --a------ C:\WINDOWS\system32\drvpuwr.dll
2007-08-18 15:45 <DIR> d-------- C:\My Downloads
2007-08-18 15:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Cast ping base frag
2007-08-18 15:44 <DIR> d-------- C:\Program Files\BitDownload
2007-08-18 14:38 32,768 --a------ C:\WINDOWS\system32\cardinfo.dll
2007-08-18 14:38 28,160 --a------ C:\WINDOWS\system32\bravemail.dll
2007-08-18 14:38 <DIR> d-------- C:\Program Files\PhotoBuilder
2007-08-18 14:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Morpheus Software
2007-08-18 13:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 1OCUME~1\Owner\APPLIC~1\AdobeUM
2007-08-28 0rogram Files\LimeWire
2007-08-24 0rogram Files\McAfee.com
2007-08-24 0OCUME~1\ALLUSE~1\APPLIC~1\McAfee.com
2007-08-18 1rogram Files\Napster
2007-08-18 1OCUME~1\ALLUSE~1\APPLIC~1\Napster
2007-08-18 1rogram Files\InstallShield Installation Information
2007-08-11 1rogram Files\userdata
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-03 01:45 7168 --ahsc--- C:\Program Files\Thumbs.db
2006-11-23 11:24 18029 --a--c--- C:\Program Files\irunin.ini
2006-11-23 11:23 8134 --a--c--- C:\Program Files\irunin.bmp
2006-11-23 11:23 15938 --a--c--- C:\Program Files\irunin.lng
2006-11-23 11:23 149841 --a--c--- C:\Program Files\irunin.dat
2003-12-14 17:34 57 --a--c--- C:\Program Files\status.js
2003-12-14 17:32 27587 --a--c--- C:\Program Files\theUninstallFile.txt
2003-12-14 17:32 1290240 --a------ C:\Program Files\Zuma.exe
2003-12-14 17:31 95 --a--c--- C:\Program Files\mainimage_top.gif
2003-12-14 17:31 91 --a--c--- C:\Program Files\mainimage_bottom.gif
2003-12-14 17:31 902 --a--c--- C:\Program Files\contentbox.gif
2003-12-14 17:31 828 --a--c--- C:\Program Files\button_center.gif
2003-12-14 17:31 741 --a--c--- C:\Program Files\mainimage_left.gif
2003-12-14 17:31 6561 --a--c--- C:\Program Files\racnotinstalled.htm
2003-12-14 17:31 53 --a--c--- C:\Program Files\empty.gif
2003-12-14 17:31 49 --a--c--- C:\Program Files\spacer.gif
2003-12-14 17:31 38543 --a--c--- C:\Program Files\gameart.jpg
2003-12-14 17:31 333 --a--c--- C:\Program Files\wrapper.ini
2003-12-14 17:31 314 --a--c--- C:\Program Files\butt_next_over.gif
2003-12-14 17:31 310 --a--c--- C:\Program Files\butt_back_over.gif
2003-12-14 17:31 287 --a--c--- C:\Program Files\launch.ini
2003-12-14 17:31 285 --a--c--- C:\Program Files\osd212.osd
2003-12-14 17:31 27957 --a--c--- C:\Program Files\readme.html
2003-12-14 17:31 279 --a--c--- C:\Program Files\meter_bottom.gif
2003-12-14 17:31 263 --a--c--- C:\Program Files\meter_top.gif
2003-12-14 17:31 224 --a--c--- C:\Program Files\feedback.htm
2003-12-14 17:31 218 --a--c--- C:\Program Files\butt_next.gif
2003-12-14 17:31 213 --a--c--- C:\Program Files\butt_back.gif
2003-12-14 17:31 210 --a--c--- C:\Program Files\setup.ini
2003-12-14 17:31 208 --a--c--- C:\Program Files\button_right.gif
2003-12-14 17:31 192 --a--c--- C:\Program Files\meter_right.gif
2003-12-14 17:31 191 --a--c--- C:\Program Files\meter_left.gif
2003-12-14 17:31 187 --a--c--- C:\Program Files\button_left.gif
2003-12-14 17:31 150 --a--c--- C:\Program Files\horzline.gif
2003-12-14 17:31 149 --a--c--- C:\Program Files\meter_upperleft.gif
2003-12-14 17:31 149 --a--c--- C:\Program Files\meter_lowerright.gif
2003-12-14 17:31 147 --a--c--- C:\Program Files\meter_upperright.gif
2003-12-14 17:31 146 --a--c--- C:\Program Files\meter_lowerleft.gif
2003-12-14 17:31 14190 --a--c--- C:\Program Files\pregame.htm
2003-12-14 17:31 1285 --a--c--- C:\Program Files\contentbox_bottom.gif
2003-12-14 17:31 1241 --a--c--- C:\Program Files\contentbox_top.gif
2003-12-14 17:31 124 --a--c--- C:\Program Files\butt_left.gif
2003-12-14 17:31 123 --a--c--- C:\Program Files\butt_right.gif
2003-12-14 17:31 115 --a--c--- C:\Program Files\mainimage_right.gif
2003-12-14 17:31 102196 --a------ C:\Program Files\bass.dll
2003-12-14 17:31 101 --a--c--- C:\Program Files\fill.gif
2003-11-21 17:11 49 --ah-c--- C:\Program Files\Config.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{027D35C1-9701-454C-98FC-2F06466EDE0E}]
C:\WINDOWS\system32\awtqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9CDC926D-1540-4323-9072-6E4B2813869E}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D3C7F3A4-D6DC-407A-8F54-73C7E7FC1E9F}]
C:\WINDOWS\system32\geeby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 02:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 14:26]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 15:49]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 16:49]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2005-09-28 16:28]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 20:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winosz32]
winosz32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=C:\WINDOWS\pss\Image Transfer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
backup=C:\WINDOWS\pss\svchost.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdwareAlert]
C:\Program Files\AdwareAlert\AdwareAlert.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINDOWS\system32\drvnod.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1164119477\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
C:\Program Files\outlook\outlook.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
C:\Program Files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\iltjwneu.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlog]
winlog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7C-CB-B2-27-ZN}]
c:\windows\system32\dwdsrngt.exe P2D002

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"ose"=3 (0x3)
"DomainService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"AdwareAlertSrv"=2 (0x2)

S4 AdwareAlertSrv;AdwareAlert Scanning Engine;"C:\Program Files\AdwareAlert\AdwareAlertSrv.srv.exe"


Contents of the 'Scheduled Tasks' folder
2007-09-01 07:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert\AdwareAlert.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-01 09:55:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-01 9:57:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-01 09:57

--- E O F ---


Report Offensive Follow Up For Removal

Response Number 5
Name: nice2be1
Date: September 1, 2007 at 07:02:34 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:03 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\wz6312\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage....
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {027D35C1-9701-454C-98FC-2F06466EDE0E} - C:\WINDOWS\system32\awtqn.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9CDC926D-1540-4323-9072-6E4B2813869E} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D3C7F3A4-D6DC-407A-8F54-73C7E7FC1E9F} - C:\WINDOWS\system32\geeby.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm565KDUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1....
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9297 bytes


Report Offensive Follow Up For Removal

Response Number 6
Name: jabuck
Date: September 1, 2007 at 08:20:24 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run Vundofix again.

Post the log located at C:Vundofix.txt.


Report Offensive Follow Up For Removal

Response Number 7
Name: nice2be1
Date: September 1, 2007 at 09:26:53 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 9:57:14 AM 8/26/2007

Listing files found while scanning....

C:\windows\system32\aoemtcvi.dll
C:\WINDOWS\system32\geeby.dll
C:\windows\system32\ivctmeoa.ini
C:\WINDOWS\system32\opdscxtp.dll
C:\windows\system32\vbxhupqx.dll
C:\windows\system32\xqpuhxbv.ini
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.ini

Beginning removal...

Attempting to delete C:\windows\system32\aoemtcvi.dll
C:\windows\system32\aoemtcvi.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.dll Has been deleted!

Attempting to delete C:\windows\system32\ivctmeoa.ini
C:\windows\system32\ivctmeoa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opdscxtp.dll
C:\WINDOWS\system32\opdscxtp.dll Has been deleted!

Attempting to delete C:\windows\system32\vbxhupqx.dll
C:\windows\system32\vbxhupqx.dll Has been deleted!

Attempting to delete C:\windows\system32\xqpuhxbv.ini
C:\windows\system32\xqpuhxbv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.bak2
C:\WINDOWS\system32\ybeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 2:42:02 PM 8/27/2007

Listing files found while scanning....

C:\windows\system32\aoemtcvi.dll
C:\WINDOWS\system32\grphuvwn.dll
C:\windows\system32\nwvuhprg.ini
C:\WINDOWS\system32\owkmhxwr.dll
C:\WINDOWS\system32\pmnno.dll

Beginning removal...

Attempting to delete C:\windows\system32\aoemtcvi.dll
C:\windows\system32\aoemtcvi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\grphuvwn.dll
C:\WINDOWS\system32\grphuvwn.dll Could not be deleted.

Attempting to delete C:\windows\system32\nwvuhprg.ini
C:\windows\system32\nwvuhprg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\owkmhxwr.dll
C:\WINDOWS\system32\owkmhxwr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 7:53:08 AM 8/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\blrkethg.dll
C:\windows\system32\grphuvwn.dll
C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.ini
C:\windows\system32\qtekcgwu.ini
C:\WINDOWS\system32\uwgcketq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\blrkethg.dll
C:\WINDOWS\system32\blrkethg.dll Has been deleted!

Attempting to delete C:\windows\system32\grphuvwn.dll
C:\windows\system32\grphuvwn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\windows\system32\qtekcgwu.ini
C:\windows\system32\qtekcgwu.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwgcketq.dll
C:\WINDOWS\system32\uwgcketq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 12:13:45 PM 9/1/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


Report Offensive Follow Up For Removal

Response Number 8
Name: jabuck
Date: September 1, 2007 at 10:10:16 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Run Avenger

1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Files to delete:
C:\WINDOWS\system32\onnmp.bak2
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\grphuvwn.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Run Hijack This, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {027D35C1-9701-454C-98FC-2F06466EDE0E} - C:\WINDOWS\system32\awtqn.dll (file missing)

O2 - BHO: (no name) - {9CDC926D-1540-4323-9072-6E4B2813869E} - C:\WINDOWS\system32\pmnno.dll (file missing)

O2 - BHO: (no name) - {D3C7F3A4-D6DC-407A-8F54-73C7E7FC1E9F} - C:\WINDOWS\system32\geeby.dll (file missing)

O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing)

Exit Hijack This

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Boot into safe mode.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Boot to normal mode and post the above result along with a new Hijack This log and let me know how the computer is running.


Report Offensive Follow Up For Removal

Response Number 9
Name: Surikas
Date: September 3, 2007 at 07:05:49 Pacific
Subject: PLEASE HELP Winantivirus Pop-ups
Reply: (edit)
Well you may always remove winantivirus manually..
http://www.2-spyware.com/remove-win...

Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: PLEASE HELP Winantivirus Pop-ups

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly
Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
 Click Here for a Free Scan

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC