Computing.Net > Forums > Security and Virus > remove fake windows security adware

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

remove fake windows security adware

Reply to Message Icon
Original Message
Name: gummowski
Date: September 26, 2007 at 20:16:57 Pacific
Subject: remove fake windows security adware
OS: XP
CPU/Ram: N/A
Model/Manufacturer: MDG
Comment:

Help! This seems like a virus/spyware issue similar to others I have seen in this forum. I ran Spybot, Panda and cannot remove a constant string of annoying warning messages in the taskbar and a fake Windows Security Center popup. My Desktop image has also changed and the Task Manager has been disabled. I can upload a hijackthis report if it helps.

Any help would be appreciated.
Gummowski



Report Offensive Message For Removal

Response Number 1
Name: jabuck
Date: September 27, 2007 at 03:46:44 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.

!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!


Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report Offensive Follow Up For Removal

Response Number 2
Name: gummowski
Date: September 27, 2007 at 19:24:10 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Okay here is the Smitfraudfix report:

SmitFraudFix v2.231

Scan done at 22:20:51.01, Thu 09/27/2007
Run from C:\Documents and Settings\Blain\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\msole32.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Blain


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Blain\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Blain\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 64.71.255.198

HKLM\SYSTEM\CCS\Services\Tcpip\..\{305A5F9A-82C2-408C-A28E-D6E28DC26A5D}: DhcpNameServer=192.168.2.1 64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\..\{305A5F9A-82C2-408C-A28E-D6E28DC26A5D}: DhcpNameServer=192.168.2.1 64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\..\{305A5F9A-82C2-408C-A28E-D6E28DC26A5D}: DhcpNameServer=192.168.2.1 64.71.255.198
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 64.71.255.198


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

And the HijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:15 PM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Blain\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thestar.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EF3446E8-FC32-4E55-9C56-0B8DA015FC10} - C:\WINDOWS\system32\GE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKUS\S-1-5-21-3604470327-1877642100-1499398264-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Joyce')
O4 - HKUS\S-1-5-21-3604470327-1877642100-1499398264-1006\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Joyce')
O4 - HKUS\S-1-5-21-3604470327-1877642100-1499398264-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Joyce')
O4 - HKUS\S-1-5-21-3604470327-1877642100-1499398264-1006\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Joyce')
O4 - HKUS\S-1-5-21-3604470327-1877642100-1499398264-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Joyce')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://cjgo.no-ip.com/cab/OCXChecke...
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/a...
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 13917 bytes

Looking forward to your response.
Gummowski


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: September 27, 2007 at 19:29:32 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Download "HostXpert" from this link HostXpert to your desktop.
Open up the HostsXpert program.

Make sure that the "make hosts writable?" button in the upper right corner is enabled.
Click back up Host files.
Then click Restore orginal host files.
Close the program.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 4
Name: gummowski
Date: September 27, 2007 at 20:20:05 Pacific
Subject: remove fake windows security adware
Reply: (edit)

ComboFix 07-09-21.2 - "Blain" 2007-09-27 22:59:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))
.

2007-09-27 23:03 <DIR> d-------- C:\Program Files\p2pnetworks
2007-09-27 23:03 <DIR> d-------- C:\Program Files\e-zshopper
2007-09-27 23:03 <DIR> d-------- C:\Program Files\amsys
2007-09-27 23:03 <DIR> d-------- C:\Program Files\akl
2007-09-27 23:03 <DIR> d-------- C:\Program Files\Accoona
2007-09-27 23:03 <DIR> d-------- C:\Program Files\3721
2007-09-27 22:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 22:21 3,152 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-27 22:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 22:19 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-22 23:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-22 23:04 <DIR> d-------- C:\!KillBox
2007-09-22 17:19 22,528 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-22 14:07 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-09-22 13:57 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-09-22 13:56 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-09-22 13:56 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-09-22 13:56 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-09-22 13:56 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-09-22 13:56 229,084 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-09-22 13:56 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-09-22 13:56 16,256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-09-22 13:53 <DIR> d-------- C:\Program Files\Panda Software
2007-09-22 13:52 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-09-22 13:52 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-09-22 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-09-22 12:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-20 21:13 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-20 20:45 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-20 20:25 21,504 --a------ C:\WINDOWS\system32\qiawpbjj.dll
2007-09-20 20:25 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-09-19 19:47 89,088 --a------ C:\WINDOWS\system32\rtnka.dll
2007-09-19 19:47 1,592,320 --a------ C:\WINDOWS\system32\rtnka.dat
2007-09-18 16:52 492,544 --a------ C:\WINDOWS\system32\HtBt.dll
2007-09-17 20:14 541,696 --a------ C:\WINDOWS\system32\GE.dll
2007-09-17 20:14 <DIR> d-------- C:\Program Files\SoftPortal
2007-09-17 19:00 76,800 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-17 19:00 1,590,784 --a------ C:\WINDOWS\system32\SoUI.dll
2007-09-14 10:24 1,659,017 --a------ C:\WINDOWS\system32\1074.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 23:12 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-09-27 23:03 9984 --a------ C:\WINDOWS\764.exe
2007-09-27 23:03 9216 --a------ C:\WINDOWS\xadbrk_.exe
2007-09-27 23:03 8448 --a------ C:\WINDOWS\liqad$.exe
2007-09-27 23:03 32256 --a------ C:\WINDOWS\pbsysie.dll
2007-09-27 23:03 31232 --a------ C:\WINDOWS\kkcomp.dll
2007-09-27 23:03 30720 --a------ C:\WINDOWS\fhfmm.exe
2007-09-27 23:03 30464 --a------ C:\WINDOWS\spredirect.dll
2007-09-27 23:03 30208 --a------ C:\WINDOWS\aconti.exe
2007-09-27 23:03 29696 --a------ C:\WINDOWS\kkcomp.exe
2007-09-27 23:03 28928 --a------ C:\WINDOWS\dp0.dll
2007-09-27 23:03 28928 --a------ C:\WINDOWS\cbinst$.exe
2007-09-27 23:03 28672 --a------ C:\WINDOWS\liqui.exe
2007-09-27 23:03 28416 --a------ C:\WINDOWS\wml.exe
2007-09-27 23:03 27648 --a------ C:\WINDOWS\ngd.dll
2007-09-27 23:03 27648 --a------ C:\WINDOWS\7search.dll
2007-09-27 23:03 27392 --a------ C:\WINDOWS\jd2002.dll
2007-09-27 23:03 26880 --a------ C:\WINDOWS\xadbrk.dll
2007-09-27 23:03 26368 --a------ C:\WINDOWS\hotporn.exe
2007-09-27 23:03 25600 --a------ C:\WINDOWS\xadbrk.exe
2007-09-27 23:03 24832 --a------ C:\WINDOWS\wbeInst$.exe
2007-09-27 23:03 22528 --a------ C:\WINDOWS\liqui.dll
2007-09-27 23:03 20736 --a------ C:\WINDOWS\wbeCheck.exe
2007-09-27 23:03 20736 --a------ C:\WINDOWS\adbar.dll
2007-09-27 23:03 20480 --a------ C:\WINDOWS\ie_32.exe
2007-09-27 23:03 20480 --a------ C:\WINDOWS\daxtime.dll
2007-09-27 23:03 19968 --a------ C:\WINDOWS\settn.dll
2007-09-27 23:03 19456 --a------ C:\WINDOWS\xxxvideo.exe
2007-09-27 23:03 19200 --a------ C:\WINDOWS\liqad.exe
2007-09-27 23:03 17664 --a------ C:\WINDOWS\kvnab.exe
2007-09-27 23:03 17408 --a------ C:\WINDOWS\iexplorr23.dll
2007-09-27 23:03 17152 --a------ C:\WINDOWS\eventlowg.dll
2007-09-27 23:03 15104 --a------ C:\WINDOWS\liqad.dll
2007-09-27 23:03 13312 --a------ C:\WINDOWS\kkcomp$.exe
2007-09-27 23:03 13056 --a------ C:\WINDOWS\kvnab$.exe
2007-09-27 23:03 12544 --a------ C:\WINDOWS\liqui-Uninstaller.exe
2007-09-27 23:03 12288 --a------ C:\WINDOWS\flt.dll
2007-09-27 23:03 12032 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe
2007-09-27 23:03 11776 --a------ C:\WINDOWS\kvnab.dll
2007-09-27 23:03 11520 --a------ C:\WINDOWS\vxddsk.exe
2007-09-27 23:03 11008 --a------ C:\WINDOWS\hcwprn.exe
2007-09-27 23:03 10240 --a------ C:\WINDOWS\pbar.dll
2007-09-26 1rogram Files\QuickTime
2007-09-26 1rogram Files\Microsoft ActiveSync
2007-09-26 1rogram Files\iTunes
2007-09-24 2OCUME~1\Blain\APPLIC~1\uTorrent
2007-09-24 1rogram Files\Google
2007-09-23 1rogram Files\uTorrent
2007-09-22 1rogram Files\Punk O Rama IV
2007-09-22 1rogram Files\InstallShield Installation Information
2007-09-22 1rogram Files\Symantec
2007-09-22 1rogram Files\Common Files\Symantec Shared
2007-09-22 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-20 20:24 841 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-09-20 20:24 811 --a------ C:\WINDOWS\system32\drivers\download_btn.gif
2007-09-20 20:24 746 --a------ C:\WINDOWS\system32\drivers\buy_btn.gif
2007-09-20 20:24 737 --a------ C:\WINDOWS\system32\drivers\logo_bg.gif
2007-09-20 20:24 580 --a------ C:\WINDOWS\system32\drivers\features.gif
2007-09-20 20:24 579 --a------ C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-09-20 20:24 567 --a------ C:\WINDOWS\system32\drivers\users_rating.gif
2007-09-20 20:24 5097 --a------ C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-09-20 20:24 4557 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-09-20 20:24 427 --a------ C:\WINDOWS\system32\drivers\4_stars.gif
2007-09-20 20:24 365 --a------ C:\WINDOWS\system32\drivers\5_stars.gif
2007-09-20 20:24 1804 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-09-20 20:24 14484 --a------ C:\WINDOWS\system32\drivers\protect.gif
2007-09-20 20:24 1139 --a------ C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-09-20 20:24 1009 --a------ C:\WINDOWS\system32\drivers\arrow.gif
2007-09-18 2rogram Files\Rainbow
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-09-20 20:25 21504 --a------ C:\WINDOWS\system32\qiawpbjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}]
2007-09-24 23:00 541696 --a------ C:\WINDOWS\system32\GE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 10:15]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 16:53 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-15 23:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-15 23:05]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 06:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-20 20:56]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-10-11 12:09]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-04-25 10:46]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-04-25 10:46]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-04-25 10:46]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 10:58]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Picture Package Menu.lnk - C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe [2004-12-31 21:44:00]
Picture Package VCD Maker.lnk - C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe [2004-12-31 21:43:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\drivers\netflt.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2b7c3-b491-11db-9995-000cf1edc90b}]
AutoRun\command- E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 03:11:59 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-28 03:00:21 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 23:10:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 23:16:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-27 23:16
.
--- E O F ---


Report Offensive Follow Up For Removal

Response Number 5
Name: jabuck
Date: September 27, 2007 at 21:17:01 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Go to start>control panel.add/remove programs and uninstall thi sprogram

uTorrent

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\drivers\wnmsav.dat
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\qiawpbjj.dll
C:\WINDOWS\system32\rtnka.dll
C:\WINDOWS\system32\rtnka.dat
C:\WINDOWS\system32\HtBt.dll
C:\WINDOWS\system32\GE.dll
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\arrow.gif
Folder::
C:\Program Files\3721
C:\Program Files\Accoona
C:\Program Files\akl
C:\Program Files\amsys
C:\Program Files\e-zshopper
C:\Program Files\p2pnetworks
C:\WINDOWS\system32\acespy
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}]


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Hijack This log and a new Combofix log please.


Report Offensive Follow Up For Removal


Response Number 6
Name: gummowski
Date: September 28, 2007 at 20:45:55 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Before we proceed, is this going to fix the problems for other users of this computer? Anyway, here are the new log files:

ComboFix 07-09-21.2 - "Blain" 2007-09-28 23:20:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -4:00]
* Created a new restore point

FILE::
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\drivers\wnmsav.dat
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\qiawpbjj.dll
C:\WINDOWS\system32\rtnka.dll
C:\WINDOWS\system32\rtnka.dat
C:\WINDOWS\system32\HtBt.dll
C:\WINDOWS\system32\GE.dll
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\arrow.gif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\wnmsav.dat
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\GE.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\HtBt.dll
C:\WINDOWS\system32\qiawpbjj.dll
C:\WINDOWS\system32\rtnka.dat
C:\WINDOWS\system32\rtnka.dll
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))
.

2007-09-27 22:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 22:21 3,152 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-27 22:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-27 22:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-27 22:19 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-27 22:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-22 23:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-09-22 23:04 <DIR> d-------- C:\!KillBox
2007-09-22 13:57 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-09-22 13:56 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-09-22 13:56 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-09-22 13:56 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-09-22 13:56 237,772 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-09-22 13:56 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-09-22 13:56 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-09-22 13:56 16,256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-09-22 13:53 <DIR> d-------- C:\Program Files\Panda Software
2007-09-22 13:52 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-09-22 13:52 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-09-22 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-09-22 12:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-17 20:14 <DIR> d-------- C:\Program Files\SoftPortal
2007-09-17 19:00 76,800 --a------ C:\WINDOWS\system32\unrar.dll
2007-09-17 19:00 1,590,784 --a------ C:\WINDOWS\system32\SoUI.dll
2007-09-14 10:24 1,659,017 --a------ C:\WINDOWS\system32\1074.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 23:34 1132 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-09-26 1rogram Files\QuickTime
2007-09-26 1rogram Files\Microsoft ActiveSync
2007-09-26 1rogram Files\iTunes
2007-09-24 2OCUME~1\Blain\APPLIC~1\uTorrent
2007-09-24 1rogram Files\Google
2007-09-22 1rogram Files\Punk O Rama IV
2007-09-22 1rogram Files\InstallShield Installation Information
2007-09-22 1rogram Files\Symantec
2007-09-22 1rogram Files\Common Files\Symantec Shared
2007-09-22 1OCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-18 2rogram Files\Rainbow
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 10:15]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 16:53 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-10-15 23:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-15 23:05]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 06:50]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 07:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-20 20:56]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-10-11 12:09]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"RHSI SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-04-25 10:46]
"Update Manager"="C:\Program Files\Rogers\Update Manager\UpdateManager.exe" [2007-04-25 10:46]
"SHS"="C:\Program Files\Rogers\SelfHealing\SHS.exe" [2007-04-25 10:46]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 10:58]
"RogersAgent"="c:\Program Files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 16:51]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Picture Package Menu.lnk - C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe [2004-12-31 21:44:00]
Picture Package VCD Maker.lnk - C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe [2004-12-31 21:43:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll

R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\drivers\netflt.sys
R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys
R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS
R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys
R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cc2b7c3-b491-11db-9995-000cf1edc90b}]
AutoRun\command- E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-29 03:35:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
"2007-09-29 03:00:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-28 23:33:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-28 23:39:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-28 23:38
C:\ComboFix2.txt ... 2007-09-27 23:16
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:29 PM, on 9/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\Upgrader.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Blain\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thestar.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RogersAgent] c:\Program Files\Rogers\SelfHealing\rogersagent.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://cjgo.no-ip.com/cab/OCXChecke...
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://blacks.pnimedia.com/upload/a...
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

--
End of file - 11356 bytes


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: September 29, 2007 at 07:02:08 Pacific
Subject: remove fake windows security adware
Reply: (edit)

Go to start> control panel> add/remove programs and uninstall this program if found

Party Poker

Run Hijack This from, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe


Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report Offensive Follow Up For Removal

Response Number 8
Name: drunkin
Date: September 30, 2007 at 15:09:14 Pacific
Subject: remove fake windows security adware
Reply: (edit)

i have the same problem i have followed the steps u gave the other guy and i need to know what to ill repost with all the logs


Report Offensive Follow Up For Removal

Response Number 9
Name: jabuck
Date: September 30, 2007 at 15:15:12 Pacific
Subject: remove fake windows security adware
Reply: (edit)

drunkin, the removal instructions will differ from each computer.

Please start a new thread, post only your problem, do not post any logs untill you are ask to do so.


Report Offensive Follow Up For Removal

Response Number 10
Name: drunkin
Date: September 30, 2007 at 15:21:40 Pacific
Subject: remove fake windows security adware
Reply: (edit)

SmitFraudFix v2.234

Scan done at 14:14:59.59, Sun 09/30/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ace16win.dll FOUND !
C:\WINDOWS\system32\msole32.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e2b8cea1-c8a7-48e2-b2fd-89ae5c608fb8}"="disenfranchising"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 205.171.3.65

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B13D60D6-5F29-4587-9936-32C4B8FF095C}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EB437EBA-1451-4D6A-976B-F7C978684DC9}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B13D60D6-5F29-4587-9936-32C4B8FF095C}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EB437EBA-1451-4D6A-976B-F7C978684DC9}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B13D60D6-5F29-4587-9936-32C4B8FF095C}: DhcpNameServer=68.2.16.30 68.2.16.25 68.6.16.30
HKLM\SYSTEM\CS3\Services\Tcpip\..\{EB437EBA-1451-4D6A-976B-F7C978684DC9}: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:14 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - (no file)
O3 - Toolbar: VSPopUp - {C89657E6-D083-4EA3-81D2-D7AD3D0ED490} - C:\WINDOWS\system32\vsPop.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1....
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8565 bytes


Report Offensive Follow Up For Removal

Response Number 11
Name: jabuck
Date: September 30, 2007 at 15:45:14 Pacific
Subject: remove fake windows security adware
Reply: (edit)

To start a thread just click "security and virus" on the right side of the page. Scroll down to the bottom of the page and fill out the form (I would not enter my email address) then type/paste your problem into the comments box click "submit follow up" (bottom of page) it to check for errors then click "confirm post".

Do not post any logs untill you are requested to do so, just state the problem.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: remove fake windows security adware

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Where is the OS version file in XP?

Mail merge lists

all fonts are gone

Xp only boots with ext. drive in

Problem with my IP address?

All Posts Awaiting Replies