eps813
1 Nickel

Multiple fake antivirus pop ups

Gotta love work employees. I am the computer administrator for my company. This computer is experieincing multiple fake pop ads for  anti virius software. They will bring the computer to an extremely low operating speed. Also these pop ups are experienced even whn not connected to the interent. They are the typical ones windows antivirus 2008 and there are two other (name unnknown). Also getting the system infections notices as well as task bar notifications. I have included my hijack this log and also a malaware bytes logg.

 

Matt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:06 PM, on 2/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\lphcctdj0e557.exe
C:\Program Files\SecureExpertCleaner\Reminder.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\qip\QuickInstallPack.exe
C:\WINDOWS\system32\pphcctdj0e557.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\M3wvbE06.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKLM\..\Run: [lphcctdj0e557] C:\WINDOWS\system32\lphcctdj0e557.exe
O4 - HKLM\..\Run: [SMrhc9tdj0e557] C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe
O4 - HKLM\..\Run: [SecureExpertCleaner] C:\Program Files\SecureExpertCleaner\sec.exe
O4 - HKLM\..\Run: [Reminder] C:\Program Files\SecureExpertCleaner\Reminder.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\Run: [DscShDb] C:\WINDOWS\system32\ktmbetip.exe
O4 - HKCU\..\Run: [QuickInstallPack] "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\QuickInstallPack.exe" /autorun
O4 - HKLM\..\Policies\Explorer\Run: [WGmJjd1P3X] C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174378422906
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6043 bytes

Malwarebytes' Anti-Malware 1.17
Database version: 846

2:14:11 PM 2/17/2009
mbam-log-2-17-2009 (14-14-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108571
Time elapsed: 22 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 36
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 45
Files Infected: 138

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\alot (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\alot (Adware.BHO) -> Delete on reboot.
C:\Program Files\alot\bin (Adware.BHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\alot (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_0 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_1 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_10 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_11 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_2 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_3 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_4 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_5 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_6 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_7 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_8 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_9 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\configurator (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\products (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\TimerManager (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\ToolbarSearch (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Updater (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_0 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_1 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_2 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_4 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_5 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_6 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_7 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_8 (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_0\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_1\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_2\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_4\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_5\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_6\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_7\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_8\images (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images (Adware.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\alot\bin\alot.dll (Adware.BHO) -> Delete on reboot.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\alot\alotUninst.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\toolbar.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_0\Button_0.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_0\Button_0.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_1\Button_1.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_1\Button_1.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_10\Button_10.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_10\Button_10.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_11\Button_11.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_11\Button_11.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_2\Button_2.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_2\Button_2.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_3\Button_3.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_3\Button_3.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_4\Button_4.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_4\Button_4.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_5\Button_5.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_5\Button_5.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_6\Button_6.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_6\Button_6.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_7\Button_7.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_7\Button_7.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_8\Button_8.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_8\Button_8.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_9\Button_9.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Button_9\Button_9.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\configurator\configurator.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\configurator\configurator.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\products\products.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\products\products.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_2\images\default_285_alot_celeb_search.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\alert-icon.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\cloudy.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\default_281_alot_weather_widget.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\mcloud.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\nclear.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\ncloudy.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\nmcloud.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\npcloud.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_3\images\pcloud.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_4\images\active_default_345_alot_celeb_news.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_4\images\default_345_alot_celeb_news.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_5\images\default_287_alot_celeb_center.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_6\images\default_288_alot_mrkt_camera.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_7\images\default_442_toolbar_alot_icon_rd_com.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Button_8\images\default_450_default_288_alot_mrkt_bang.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\domains.dat (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\alot_brand.png (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\spinner.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\TimerManager\TimerManager.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\TimerManager\TimerManager.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Updater\Updater.xml (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\alot\Updater\Updater.xml.backup (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sav.cpl (Rogue.SystemAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

0 Kudos
23 Replies
bamajim
5 Rhenium

Re: Multiple fake antivirus pop ups


eps813

1. Go HERE and download File Lister.
    Save it to your Desktop
    Rt Click ->> Extract all ->> And extract it to your Desktop
    Additional help on extracting zip files can be found HERE
    Open the File Lister Folder.
    Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
    As the program runs, it will appear that nothing is happening.
    When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.

Consumer Security 2008- 2010

 

0 Kudos
eps813
1 Nickel

Re: Multiple fake antivirus pop ups


+++++++++++++++++++++++++++++++++
+ File Lister  Version 1.0.5
+
+  By bamajim / bamajim.com
+++++++++++++++++++++++++++++++++

Report ran on --->>>  2/19/2009 9:33:47 AM


====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\lphcctdj0e557.exe
C:\Program Files\SecureExpertCleaner\Reminder.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\qip\QuickInstallPack.exe
C:\WINDOWS\system32\pphcctdj0e557.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WScript.exe

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

BHO: (NO NAME) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

BHO: (NO NAME) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll

BHO: XML module - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"Antivirus"="C:\\Program Files\\SAV\\sav.exe"
"lphcctdj0e557"="C:\\WINDOWS\\system32\\lphcctdj0e557.exe"
"SMrhc9tdj0e557"="C:\\Program Files\\rhc9tdj0e557\\rhc9tdj0e557.exe"
"SecureExpertCleaner"="C:\\Program Files\\SecureExpertCleaner\\sec.exe"
"Reminder"="C:\\Program Files\\SecureExpertCleaner\\Reminder.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"Somefox"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\video95.cfg.exe"
"Antivirus"="C:\\Program Files\\SAV\\sav.exe"
"DscShDb"="C:\\WINDOWS\\system32\\ktmbetip.exe"
"QuickInstallPack"="\"C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\qip\\QuickInstallPack.exe\" /autorun"
"Cognac"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\e.exe"


====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

2/19/2009 9:33:47 AM    2197    32    C:\Files.txt
2/17/2009 10:02:05 PM    3890790    C:\WINDOWS\$NtUninstallKB952069_WM9$
2/17/2009 10:02:05 PM    626790    C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst
2/17/2009 10:02:39 PM    2472183    C:\WINDOWS\$NtUninstallKB954211$
2/17/2009 10:02:39 PM    626935    C:\WINDOWS\$NtUninstallKB954211$\spuninst
2/17/2009 10:01:42 PM    873415    C:\WINDOWS\$NtUninstallKB954600$
2/17/2009 10:01:42 PM    626601    C:\WINDOWS\$NtUninstallKB954600$\spuninst
2/17/2009 10:01:29 PM    1731390    C:\WINDOWS\$NtUninstallKB955069$
2/17/2009 10:01:29 PM    626494    C:\WINDOWS\$NtUninstallKB955069$\spuninst
2/17/2009 10:03:26 PM    690614    C:\WINDOWS\$NtUninstallKB955839$
2/17/2009 10:03:26 PM    627638    C:\WINDOWS\$NtUninstallKB955839$\spuninst
2/17/2009 10:01:19 PM    909060    C:\WINDOWS\$NtUninstallKB956802$
2/17/2009 10:01:19 PM    626436    C:\WINDOWS\$NtUninstallKB956802$\spuninst
2/17/2009 10:03:33 PM    765426    C:\WINDOWS\$NtUninstallKB956803$
2/17/2009 10:03:33 PM    627058    C:\WINDOWS\$NtUninstallKB956803$\spuninst
2/17/2009 10:02:26 PM    9020097    C:\WINDOWS\$NtUninstallKB956841$
2/17/2009 10:02:26 PM    630337    C:\WINDOWS\$NtUninstallKB956841$\spuninst
2/17/2009 10:02:01 PM    1080312    C:\WINDOWS\$NtUninstallKB957097$
2/17/2009 10:02:01 PM    627192    C:\WINDOWS\$NtUninstallKB957097$\spuninst
2/17/2009 10:02:57 PM    8920902    C:\WINDOWS\$NtUninstallKB958215$
2/17/2009 10:02:57 PM    640838    C:\WINDOWS\$NtUninstallKB958215$\spuninst
2/17/2009 10:01:36 PM    958861    C:\WINDOWS\$NtUninstallKB958644$
2/17/2009 10:01:36 PM    626573    C:\WINDOWS\$NtUninstallKB958644$\spuninst
2/17/2009 10:01:49 PM    959580    C:\WINDOWS\$NtUninstallKB958687$
2/17/2009 10:01:49 PM    626652    C:\WINDOWS\$NtUninstallKB958687$\spuninst
2/17/2009 10:02:14 PM    3917782    C:\WINDOWS\$NtUninstallKB960714$
2/17/2009 10:02:14 PM    628694    C:\WINDOWS\$NtUninstallKB960714$\spuninst
2/17/2009 10:01:55 PM    735525    C:\WINDOWS\$NtUninstallKB960715$
2/17/2009 10:01:55 PM    624933    C:\WINDOWS\$NtUninstallKB960715$\spuninst
2/8/2100 3:53:34 PM    1437    32    C:\WINDOWS\GtX73.ini
2/17/2009 10:02:04 PM    11404    32    C:\WINDOWS\KB952069.log
2/17/2009 10:02:38 PM    12231    32    C:\WINDOWS\KB954211.log
2/17/2009 10:01:41 PM    10290    32    C:\WINDOWS\KB954600.log
2/17/2009 10:01:28 PM    10078    32    C:\WINDOWS\KB955069.log
2/17/2009 3:39:24 PM    36822    32    C:\WINDOWS\KB955839.log
2/17/2009 3:30:49 PM    15810    32    C:\WINDOWS\KB956802.log
2/17/2009 10:03:31 PM    16897    32    C:\WINDOWS\KB956803.log
2/17/2009 10:02:22 PM    13364    32    C:\WINDOWS\KB956841.log
2/17/2009 10:01:59 PM    10686    32    C:\WINDOWS\KB957097.log
2/17/2009 10:02:45 PM    20540    32    C:\WINDOWS\KB958215.log
2/17/2009 10:01:34 PM    10598    32    C:\WINDOWS\KB958644.log
2/17/2009 10:01:48 PM    10603    32    C:\WINDOWS\KB958687.log
2/17/2009 10:02:12 PM    11785    32    C:\WINDOWS\KB960714.log
2/17/2009 10:01:54 PM    9022    32    C:\WINDOWS\KB960715.log
2/17/2009 10:00:36 PM    315034    32    C:\WINDOWS\msxml4-KB954430-enu.LOG
2/23/2100 2:35:34 PM    768    32    C:\WINDOWS\x73_lut.dat
2/17/2009 3:31:40 PM    0    32    C:\WINDOWS\system32\M3wvbE06.exe.a_a

====== Files under "\Administrator\Startup" Last 60 Days======

 

====== Files under "\All Users\Startup" Last 60 Days======


====== Folders under "\Program Files" Last 60 Days======


====== Files under "\System32\Drivers" Last 60 Days======


====== Files Deleted under "%Temp%" ======

C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt1.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt14.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt17.tmp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt1D.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt2.tmp.vbs
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt23.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt25.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt3.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt5.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\.tt8.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\a.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Acr4C.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Acr4D.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Acr52.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Acr53.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\c.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\dat4.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\g.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\GLV12.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\h.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\hpotdd000.log
C:\DOCUME~1\Owner\LOCALS~1\Temp\hpotdd002.log
C:\DOCUME~1\Owner\LOCALS~1\Temp\hpotdd013.log
C:\DOCUME~1\Owner\LOCALS~1\Temp\jinstall.cfg
C:\DOCUME~1\Owner\LOCALS~1\Temp\jusched.log
C:\DOCUME~1\Owner\LOCALS~1\Temp\pcf2.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Set70.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\sJ702kJE.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\SysInfoWinModuleUninstaller.log
C:\DOCUME~1\Owner\LOCALS~1\Temp\uninst.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\uninst.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\vmgrremok.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\vmpremov.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\x.ico
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1E62.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF581D.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF9A31.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFA7F0.tmp

51 Files deleted

====== Files and Folders under "All Users\Application Data" Last 60 Days======


 ====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\AOLDialer


HKLM\Software\microsoft\shared tools\msconfig\startupreg\HostManager


HKLM\Software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager


HKLM\Software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor


HKLM\Software\microsoft\shared tools\msconfig\startupreg\MoneyAgent


HKLM\Software\microsoft\shared tools\msconfig\startupreg\MSMSGS


HKLM\Software\microsoft\shared tools\msconfig\startupreg\OmniPass


HKLM\Software\microsoft\shared tools\msconfig\startupreg\StorageGuard


HKLM\Software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager


====== Services ( Services that are Whitelisted are not shown) ======

 Alerter (Alerter) C:\WINDOWS\System32\svchost.exe -k LocalService  - Disabled
 Application Layer Gateway Service (ALG) C:\WINDOWS\System32\alg.exe  - Manual
 Application Management (AppMgmt) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Manual
 ASP.NET State Service (aspnet_state) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe  - Manual
 Windows Audio (AudioSrv) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Background Intelligent Transfer Service (BITS) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Computer Browser (Browser) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Indexing Service (CiSvc) C:\WINDOWS\system32\cisvc.exe  - Manual
 ClipBook (ClipSrv) C:\WINDOWS\system32\clipsrv.exe  - Disabled
 COM+ System Application (COMSysApp) C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}  - Manual
 Cryptographic Services (CryptSvc) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto
 DCOM Server Process Launcher (DcomLaunch) C:\WINDOWS\system32\svchost -k DcomLaunch  - Auto
 DHCP Client (Dhcp) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Logical Disk Manager Administrative Service (dmadmin) C:\WINDOWS\System32\dmadmin.exe /com  - Manual
 Logical Disk Manager (dmserver) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 DNS Client (Dnscache) C:\WINDOWS\System32\svchost.exe -k NetworkService  - Auto
 Error Reporting Service (ERSvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Event Log (Eventlog) C:\WINDOWS\system32\services.exe  - Auto
 COM+ Event System (EventSystem) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Fast User Switching Compatibility (FastUserSwitchingCompatibility) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Fax (Fax) C:\WINDOWS\system32\fxssvc.exe  - Manual
 Help and Support (helpsvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Human Interface Device Access (HidServ) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled
 HTTP SSL (HTTPFilter) C:\WINDOWS\System32\svchost.exe -k HTTPFilter  - Manual
 IMAPI CD-Burning COM Service (ImapiService) C:\WINDOWS\System32\imapi.exe  - Manual
 Server (lanmanserver) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Workstation (lanmanworkstation) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 LexBce Server (LexBceS) C:\WINDOWS\system32\LEXBCES.EXE  - Auto
 TCP/IP NetBIOS Helper (LmHosts) C:\WINDOWS\System32\svchost.exe -k LocalService  - Auto
 Lexar JD31 (LxrJD31s) LxrJD31s.exe  - Auto
 Messenger (Messenger) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled
 NetMeeting Remote Desktop Sharing (mnmsrvc) C:\WINDOWS\System32\mnmsrvc.exe  - Manual
 Distributed Transaction Coordinator (MSDTC) C:\WINDOWS\System32\msdtc.exe  - Manual
 Windows Installer (MSIServer) C:\WINDOWS\System32\msiexec.exe /V  - Manual
 Network DDE (NetDDE) C:\WINDOWS\system32\netdde.exe  - Disabled
 Network DDE DSDM (NetDDEdsdm) C:\WINDOWS\system32\netdde.exe  - Disabled
 Net Logon (Netlogon) C:\WINDOWS\System32\lsass.exe  - Manual
 Network Connections (Netman) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Network Location Awareness (NLA) (Nla) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 NT LM Security Support Provider (NtLmSsp) C:\WINDOWS\System32\lsass.exe  - Manual
 Removable Storage (NtmsSvc) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Manual
 NVIDIA Driver Helper Service (NVSvc) C:\WINDOWS\System32\nvsvc32.exe  - Auto
 Softex OmniPass Service (omniserv) C:\Program Files\Softex\OmniPass\Omniserv.exe  - Auto
 Plug and Play (PlugPlay) C:\WINDOWS\system32\services.exe  - Auto
 Pml Driver HPZ12 (Pml Driver HPZ12) C:\WINDOWS\System32\HPZipm12.exe  - Manual
 IPSEC Services (PolicyAgent) C:\WINDOWS\System32\lsass.exe  - Auto
 Protected Storage (ProtectedStorage) C:\WINDOWS\system32\lsass.exe  - Auto
 Remote Access Auto Connection Manager (RasAuto) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Remote Access Connection Manager (RasMan) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Remote Desktop Help Session Manager (RDSessMgr) C:\WINDOWS\system32\sessmgr.exe  - Manual
 Routing and Remote Access (RemoteAccess) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Disabled
 Remote Procedure Call (RPC) Locator (RpcLocator) C:\WINDOWS\System32\locator.exe  - Manual
 Remote Procedure Call (RPC) (RpcSs) C:\WINDOWS\system32\svchost -k rpcss  - Auto
 QoS RSVP (RSVP) C:\WINDOWS\System32\rsvp.exe  - Manual
 Security Accounts Manager (SamSs) C:\WINDOWS\system32\lsass.exe  - Auto
 Smart Card (SCardSvr) C:\WINDOWS\System32\SCardSvr.exe  - Manual
 Task Scheduler (Schedule) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Secondary Logon (seclogon) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 System Event Notification (SENS) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto
 Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Shell Hardware Detection (ShellHWDetection) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Print Spooler (Spooler) C:\WINDOWS\system32\spoolsv.exe  - Auto
 System Restore Service (srservice) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 SSDP Discovery Service (SSDPSRV) C:\WINDOWS\System32\svchost.exe -k LocalService  - Manual
 Windows Image Acquisition (WIA) (stisvc) C:\WINDOWS\System32\svchost.exe -k imgsvc  - Auto
 MS Software Shadow Copy Provider (SwPrv) C:\WINDOWS\System32\dllhost.exe /Processid:{E9FAE58C-7E2C-46A9-BC4A-0DEC332F3ACC}  - Manual
 Performance Logs and Alerts (SysmonLog) C:\WINDOWS\system32\smlogsvc.exe  - Manual
 Telephony (TapiSrv) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 Terminal Services (TermService) C:\WINDOWS\System32\svchost -k DComLaunch  - Manual
 Themes (Themes) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Distributed Link Tracking Client (TrkWks) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto
 Universal Plug and Play Device Host (upnphost) C:\WINDOWS\System32\svchost.exe -k LocalService  - Manual
 Uninterruptible Power Supply (UPS) C:\WINDOWS\System32\ups.exe  - Manual
 Volume Shadow Copy (VSS) C:\WINDOWS\System32\vssvc.exe  - Manual
 Windows Time (W32Time) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 WebClient (WebClient) C:\WINDOWS\System32\svchost.exe -k LocalService  - Auto
 Windows Management Instrumentation (winmgmt) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto
 Portable Media Serial Number Service (WmdmPmSN) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual
 WMI Performance Adapter (WmiApSrv) C:\WINDOWS\System32\wbem\wmiapsrv.exe  - Manual
 Security Center (wscsvc) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Automatic Updates (wuauserv) C:\WINDOWS\system32\svchost.exe -k netsvcs  - Auto
 Wireless Zero Configuration (WZCSVC) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Auto
 Network Provisioning Service (xmlprov) C:\WINDOWS\System32\svchost.exe -k netsvcs  - Manual

====== Uninstall List From Registry ======

SecureExpertCleaner 1.0.11.2
Adobe Flash Player ActiveX
Adobe Download Manager 1.2 (Remove Only)
Compaq Connections
CCleaner (remove only)
HijackThis 2.0.2
hp instant support
HP Image Zone 4.5
HP Photo and Imaging 2.0 - hp psc 1200 series
Quicken 2003 New User Edition
Instant Support
Java Web Start
JD Secure 3.1
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Security Update for Windows XP (KB890046)
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Step By Step Interactive Training (KB898458)
Update for Windows XP (KB898461)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Update for Windows XP (KB927891)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Update for Windows XP (KB930916)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Update for Windows XP (KB931836)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB932168)
Update for Windows XP (KB933360)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Update for Windows XP (KB938828)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Update for Windows XP (KB946627)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows Media Player (KB952069)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Update for Windows XP (KB955839)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Enhanced Multimedia Keyboard Solution
Lexmark X73
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Mozilla Firefox (3.0.1)
NVIDIA Windows 2000/XP Display Drivers
NVIDIA Gart Driver
PS2
QuickInstallPack
QuickTime
RealOne Player
AntivirXP08
S3Display
S3Gamma2
S3Info2
S3Overlay
Adobe Flash Player 9 ActiveX
VIA Rhine-Family Fast Ethernet Adapter
Windows Genuine Advantage Notifications (KB905474)
WildTangent Web Driver
Windows SR 2.0
Windows XP Service Pack 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Money 2003
Microsoft Money 2003 System Pack
Sonic Update Manager
Security Update for CAPICOM (KB931906)
IntelliMover Data Transfer Demo
HP Product Assistant
Microsoft Visual J# .NET Redistributable Package 1.1
InstantShare
TrayApp
HpSdpAppCoreApp
Blazing Angels Squadrons of WWII
Unload
Java(TM) 6 Update 7
WebFldrs XP
MSXML 4.0 SP2 (KB927978)
CueTour
MUSICMATCH® Jukebox
Adobe Photoshop Album Starter Edition
Weblink
ShareIns
PanoStandAlone
CreativeProjects
PhotoGallery
HP Software Update
Destinations
HP Photo and Imaging 2.0 - All-in-One Drivers
BufferChm
Microsoft Works 7.0
HPSystemDiagnostics
SkinsHP1
MSXML 4.0 SP2 (KB954430)
QFolder
Intel(R) Extreme Graphics Driver
RecordNow!
HP Photo and Imaging 2.0 - All-in-One
InterVideo WinDVD Player
Adobe Reader 6.0
HP Memories Disc
HP Photosmart Cameras 4.5
Director
MSXML 4.0 SP2 (KB936181)
Microsoft Plus! Digital Media Edition
hp psc 1200 series
Microsoft .NET Framework 1.1
WebReg
CameraDrivers
Interactive User’s Guide
Java 2 Runtime Environment, SE v1.4.1_02
HP Deskjet Preloaded Printer Drivers
OmniPass
Quicken 2003 New User Edition
CreativeProjectsTemplates

======== Other Info ========

TOTAL PHYSICAL RAM: 503 MB

 

0 Kudos
bamajim
5 Rhenium

Re: Multiple fake antivirus pop ups


eps813

A. Go Add or Remove Programs (Click Start ->> Control Panel ->> Add or Remove Programs)
And uninstalll the following program
    SecureExpertCleaner 1.0.11.2

Close Add or Remove Programs

B. 1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop(How to extract (decompress) zipped or compressed files, help in the link here: )

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe
C:\WINDOWS\system32\lphcctdj0e557.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
C:\WINDOWS\system32\pphcctdj0e557.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll
C:\Program Files\SAV\sav.exe
C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe
C:\Program Files\SecureExpertCleaner\sec.exe
C:\Program Files\SecureExpertCleaner\Reminder.exe
C:\WINDOWS\system32\ktmbetip.exe
C:\Documents and Settings\Owner\\Local Settings\Application Data\qip\QuickInstallPack.exe
C:\WINDOWS\system32\M3wvbE06.exe.a_a

Folders to Delete:
C:\Documents and Settings\All Users\Application Data\fchihchi
C:\Program Files\SecureExpertCleaner
C:\Documents and Settings\Owner\Local Settings\Application Data\qip
C:\Program Files\SAV
C:\Program Files\rhc9tdj0e557


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"

4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log




Consumer Security 2008- 2010

 

0 Kudos
eps813
1 Nickel

Re: Multiple fake antivirus pop ups

1st is avenger log. Also desktop is showing fake picture of antivirus popup

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe" deleted successfully.
File "C:\WINDOWS\system32\lphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe" deleted successfully.
File "C:\WINDOWS\system32\pphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe" deleted successfully.
File "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll" deleted successfully.
File "C:\Program Files\SAV\sav.exe" deleted successfully.
File "C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe" deleted successfully.

Error:  file "C:\Program Files\SecureExpertCleaner\sec.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\sec.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Program Files\SecureExpertCleaner\Reminder.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\Reminder.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ktmbetip.exe" not found!
Deletion of file "C:\WINDOWS\system32\ktmbetip.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\Documents and Settings\Owner\\Local Settings\Application Data\qip\QuickInstallPack.exe" deleted successfully.
File "C:\WINDOWS\system32\M3wvbE06.exe.a_a" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\fchihchi" deleted successfully.
Folder "C:\Program Files\SecureExpertCleaner" deleted successfully.
Folder "C:\Documents and Settings\Owner\Local Settings\Application Data\qip" deleted successfully.
Folder "C:\Program Files\SAV" deleted successfully.
Folder "C:\Program Files\rhc9tdj0e557" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:06 AM, on 2/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\f.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKLM\..\Run: [lphcctdj0e557] C:\WINDOWS\system32\lphcctdj0e557.exe
O4 - HKLM\..\Run: [SMrhc9tdj0e557] C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
O4 - HKCU\..\Run: [DscShDb] C:\WINDOWS\system32\ktmbetip.exe
O4 - HKCU\..\Run: [QuickInstallPack] "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\QuickInstallPack.exe" /autorun
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\f.exe
O4 - HKLM\..\Policies\Explorer\Run: [WGmJjd1P3X] C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174378422906
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5530 bytes

 

 

0 Kudos
bamajim
5 Rhenium

Re: Multiple fake antivirus pop ups


eps813

Looking better. We are going to use Avenger once more.

1. Rerun Hijackthis (scan only) and place checks beside the following entries

    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: iercptbho - {D4CDC21D-43BE-4101-A1EF-E379F134771E} - C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll (file missing)
    O4 - HKLM\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
    O4 - HKLM\..\Run: [lphcctdj0e557] C:\WINDOWS\system32\lphcctdj0e557.exe
    O4 - HKLM\..\Run: [SMrhc9tdj0e557] C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe
    O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe
    O4 - HKCU\..\Run: [Antivirus] C:\Program Files\SAV\sav.exe
    O4 - HKCU\..\Run: [DscShDb] C:\WINDOWS\system32\ktmbetip.exe
    O4 - HKCU\..\Run: [QuickInstallPack] "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\QuickInstallPack.exe" /autorun
    O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\f.exe
    O4 - HKLM\..\Policies\Explorer\Run: [WGmJjd1P3X] C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis (Do Not Reboot Yet.)

Next 1. Rerun Avenger

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\WINDOWS\system32\msxml71.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"

4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

Consumer Security 2008- 2010

 

0 Kudos
eps813
1 Nickel

Re: Multiple fake antivirus pop ups

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:27 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.community.dell.com/forums/t/19258955.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174378422906
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4642 bytes

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe" deleted successfully.
File "C:\WINDOWS\system32\lphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe" deleted successfully.
File "C:\WINDOWS\system32\pphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe" deleted successfully.
File "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll" deleted successfully.
File "C:\Program Files\SAV\sav.exe" deleted successfully.
File "C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe" deleted successfully.

Error:  file "C:\Program Files\SecureExpertCleaner\sec.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\sec.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Program Files\SecureExpertCleaner\Reminder.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\Reminder.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ktmbetip.exe" not found!
Deletion of file "C:\WINDOWS\system32\ktmbetip.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\Documents and Settings\Owner\\Local Settings\Application Data\qip\QuickInstallPack.exe" deleted successfully.
File "C:\WINDOWS\system32\M3wvbE06.exe.a_a" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\fchihchi" deleted successfully.
Folder "C:\Program Files\SecureExpertCleaner" deleted successfully.
Folder "C:\Documents and Settings\Owner\Local Settings\Application Data\qip" deleted successfully.
Folder "C:\Program Files\SAV" deleted successfully.
Folder "C:\Program Files\rhc9tdj0e557" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

 

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:30 2009

15:06:30: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:32 2009

15:06:32: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:57 2009

15:06:57: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\msxml71.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

0 Kudos
eps813
1 Nickel

Re: Multiple fake antivirus pop ups

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:27 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.community.dell.com/forums/t/19258955.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174378422906
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 4642 bytes

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\All Users\Application Data\fchihchi\xqvgbcvq.exe" deleted successfully.
File "C:\WINDOWS\system32\lphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\video95.cfg.exe" deleted successfully.
File "C:\WINDOWS\system32\pphcctdj0e557.exe" deleted successfully.
File "C:\DOCUME~1\Owner\LOCALS~1\Temp\e.exe" deleted successfully.
File "C:\Documents and Settings\Owner\Local Settings\Application Data\qip\iercpt.dll" deleted successfully.
File "C:\Program Files\SAV\sav.exe" deleted successfully.
File "C:\Program Files\rhc9tdj0e557\rhc9tdj0e557.exe" deleted successfully.

Error:  file "C:\Program Files\SecureExpertCleaner\sec.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\sec.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Program Files\SecureExpertCleaner\Reminder.exe" not found!
Deletion of file "C:\Program Files\SecureExpertCleaner\Reminder.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ktmbetip.exe" not found!
Deletion of file "C:\WINDOWS\system32\ktmbetip.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\Documents and Settings\Owner\\Local Settings\Application Data\qip\QuickInstallPack.exe" deleted successfully.
File "C:\WINDOWS\system32\M3wvbE06.exe.a_a" deleted successfully.
Folder "C:\Documents and Settings\All Users\Application Data\fchihchi" deleted successfully.
Folder "C:\Program Files\SecureExpertCleaner" deleted successfully.
Folder "C:\Documents and Settings\Owner\Local Settings\Application Data\qip" deleted successfully.
Folder "C:\Program Files\SAV" deleted successfully.
Folder "C:\Program Files\rhc9tdj0e557" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

 

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:30 2009

15:06:30: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:32 2009

15:06:32: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Feb 25 15:06:57 2009

15:06:57: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\msxml71.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

0 Kudos
bamajim
5 Rhenium

Re: Multiple fake antivirus pop ups

eps813

Good work. How's your PC running at this point?

Consumer Security 2008- 2010

 

0 Kudos
eps813
1 Nickel

Re: Multiple fake antivirus pop ups

good just need to change the background and we should be all set thank you for help

0 Kudos