Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fake microsoft style (warning shield popup) "VIRUS ALERT"

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 16th, 2008, 5:48 pm

Fake warnings started randomly popping up and anytime I tried to go to my homepage or any website my Internet Explorer would be rerouted to a fake antivirus download or virus information website it was'nt always the same website but the fake microsoft style (warning shield) popup, the warning would constantly change from - Antivirus XP, VISTA Antivirus, Antivirus 2008, then to Antivirus 2009, the Hard Drive disapeared from the My Computer folder along with the CD Rom, and then there was no (all programs) on the start menu and then My Computer & Control Panel disappeared from the start menu and the computer name on System Properties looks wierd it has my name with numbers I found this when trying to put My Computer back on start menu, plus on the righthand side of the clock in the task bar notification area it displayed this fake "VIRUS ALERT", but I was able to get rid of the VIRUS ALERT next to the clock, and back to just the clock by going into the Control Panel under Region and Language options and using the customize Standards & Formats option and changing the (hh:mm-VIRUS ALERT) to the normal (hh:mm) and the VIRUS ALERT has not displayed since I made the changes there. At the same time the VIRUS ALERT next to clock & the random fake popups started My Antivirus program PANDA 2008 started to display virus and spyware warnings like crazy but Panda could not stop - delete or quarantine the problem, So I ran the Windows Malicious Software Removal Tool and it found ( Win32/Cutwail.AG & Winrf88.sys ) & stated that this was the problem but could not clean it, So I tried to install & run the Microsoft Windows Defender I tried several times to run it but finally gave up and removed it, Then I tried over & over to install the Windows Live OneCare Safety Scanner, after about 10 failed installs and removals, & internet options settings changes & Creating a New Administrator user account and then (Deleting All other accounts Files and programs too) I was able to install and run it properly and did a Full scan with the OneCare Safety Scanner and it found 12 problems & it was able to fix all of the problems Except one it could not delete or clean it, the hard drive and control panel came back onto the start menu and now they show up in the My Computer folder again & the all programs now shows on the start menu again as well. looking in folder view I noticed a couple of Folders that were not present 2 weeks ago when I was last in the folder view, then this morning when I went back in to folder view to (checkout the folders that were not present 2 weeks ago) & the file name was a lot shorter this morning like the file name had changed, I have deleted all installed programs except - My Panda 2008 Antivirus, Belkin Wireless Utility, WinRAR, Adobe flash player, and Kensington MouseWorks Software (98/Me/2000/XP) that controls the external mouse. Everything else I removed and deleted such as empty folders if any were left after reboot. It was just rebuilt by Radio Sh... a little over a year ago as the harddrive was almost fried, they were barely able to get the system transfered to the new hard drive before the old one faded out. It is an IBM 600e Laptop 20 Gig NTFS, running XP Home Edition SP2 with all critical updates except SP3, IE7 browser, do not want to install sp3 had too many problems when I tried that install took forever to get it removed & straightened out. Also it seems every time I am able to manually clean a mallware or a virus issue and I turn off my PC later when I turn it back on or if I Hibernate or restart the PC there are brand new mallware or virus issues or entries

Appreciate any help anyone can give me
-----------------------------------------------------------------------------------------

Here is the Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:44 PM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=78622&mkt=en-us
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {040BA7F9-CDC9-4F2A-BAFD-5B13501B2DAD} - (no file)
O2 - BHO: (no name) - {70C7270B-ECE9-4FA8-A203-4A2C2D366128} - (no file)
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: (no name) - {65952D7F-B04B-4D60-99FF-77662FE2D2EF} - (no file)
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1767666652
O20 - Winlogon Notify: geBtRiGX - geBtRiGX.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 6027 bytes
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn
Advertisement
Register to Remove

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 20th, 2008, 6:07 pm

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 20th, 2008, 6:23 pm

Very thorough description of your problems. :thumbright:

It looks like you were dealing with Zlob and vundo infections at least, it is a good idea to hold off updating to SP3 until we get you sorted with your malware problems.

Step 1:
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.


Step 2:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


Logs to Post:
In your next reply, please post the following:
  • log.txt and info.txt from RSIT (random's system information tool)
  • The malwarebytes report
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 21st, 2008, 6:55 am

Your instructions stated to start with -
Step 1:

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

What is mbam-setup.exe and where on my PC is it located ?
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 21st, 2008, 8:56 am

I'm so sorry, I mustn't have added the download location. It's in the following link, save it to your desktop, it's the green download button: http://www.malwarebytes.org/mbam.php
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 22nd, 2008, 2:58 am

Logfile of random's system information tool 1.04 (written by random/random)
Run by danny at 2008-10-21 01:50:15
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 15 GB (80%) free of 19 GB
Total RAM: 191 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:45 AM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\danny\Desktop\RSIT.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\avciman.exe
C:\Program Files\Trend Micro\HijackThis\danny.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=78622&mkt=en-us
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {70C7270B-ECE9-4FA8-A203-4A2C2D366128} - (no file)
O3 - Toolbar: (no name) - {65952D7F-B04B-4D60-99FF-77662FE2D2EF} - (no file)
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1767666652
O20 - Winlogon Notify: geBtRiGX - geBtRiGX.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 5967 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C7270B-ECE9-4FA8-A203-4A2C2D366128}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{65952D7F-B04B-4D60-99FF-77662FE2D2EF}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Modem Update Reminder"=C:\WINDOWS\MWW32\manager\mwremind.exe [1999-04-01 202752]
"bcmwltry"=C:\WINDOWS\SYSTEM32\bcmwltry.exe [2003-07-25 462848]
"RemoveCpl"=C:\WINDOWS\SYSTEM32\RemoveCpl.exe [2003-01-15 24576]
"kmw_run.exe"=C:\WINDOWS\SYSTEM32\kmw_run.exe [2005-09-01 118784]
"APVXDWIN"=C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE [2008-07-16 857344]
"SCANINICIO"=C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe [2008-07-07 50432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
ThinkPad Modem Copyright.lnk - C:\WINDOWS\MWW32\manager\mwcpyrt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
C:\WINDOWS\SYSTEM32\avldr.dll [2008-03-18 58672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBtRiGX]
geBtRiGX.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\byXPJYst

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.js - open - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
.vbs - open - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*

======List of files/folders created in the last 1 months======

2008-10-21 01:50:15 ----DC---- C:\rsit
2008-10-20 18:00:13 ----AC---- C:\WINDOWS\system32\lvkpc.txt
2008-10-20 17:10:31 ----DC---- C:\Documents and Settings\danny\Application Data\Malwarebytes
2008-10-20 17:10:12 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-20 17:10:11 ----DC---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 16:12:33 ----DC---- C:\Program Files\Trend Micro
2008-10-16 13:10:47 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 13:09:24 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 13:07:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 13:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 13:00:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-09 12:49:04 ----DC---- C:\Documents and Settings\danny\Application Data\Macromedia
2008-10-09 12:49:03 ----DC---- C:\Documents and Settings\danny\Application Data\Adobe

======List of files/folders modified in the last 1 months======

2008-10-21 01:50:34 ----DC---- C:\WINDOWS\Prefetch
2008-10-21 01:50:05 ----DC---- C:\WINDOWS\system32\CatRoot2
2008-10-21 01:41:21 ----DC---- C:\WINDOWS\system32
2008-10-21 01:40:50 ----DC---- C:\WINDOWS
2008-10-21 01:40:50 ----AC---- C:\WINDOWS\TMP0001.TMP
2008-10-21 01:39:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-21 01:34:55 ----DC---- C:\WINDOWS\Temp
2008-10-20 18:00:15 ----AD---- C:\WINDOWS\system32\drivers
2008-10-20 17:10:11 ----RDC---- C:\Program Files
2008-10-18 16:04:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-18 14:11:40 ----DC---- C:\WINDOWS\inf
2008-10-16 15:38:47 ----DC---- C:\Program Files\Windows Live Safety Center
2008-10-16 15:38:23 ----SDC---- C:\WINDOWS\Downloaded Program Files
2008-10-16 13:58:08 ----AC---- C:\WINDOWS\system.ini
2008-10-16 13:25:11 ----D---- C:\c5cef3b1b7bbe749ffe40a31eec4
2008-10-16 13:10:42 ----HDC---- C:\WINDOWS\$hf_mig$
2008-10-16 13:10:06 ----AC---- C:\WINDOWS\imsins.BAK
2008-10-16 13:04:51 ----DC---- C:\Program Files\Internet Explorer
2008-10-16 13:03:22 ----DC---- C:\WINDOWS\ie7updates
2008-10-15 17:28:36 ----DC---- C:\WINDOWS\system32\Macromed
2008-10-15 15:42:59 ----SHDC---- C:\WINDOWS\Installer
2008-10-15 15:42:58 ----HDC---- C:\Config.Msi
2008-10-15 15:42:57 ----DC---- C:\Program Files\Common Files\Microsoft Shared
2008-10-12 12:22:10 ----DC---- C:\WINDOWS\Help
2008-10-11 15:19:54 ----DC---- C:\WINDOWS\Debug
2008-10-11 14:31:14 ----SDC---- C:\Documents and Settings\danny\Application Data\Microsoft
2008-10-09 14:16:41 ----DC---- C:\WINDOWS\system32\NtmsData
2008-10-08 23:38:00 ----SHDC---- C:\RECYCLER
2008-10-08 23:37:59 ----DC---- C:\Documents and Settings
2008-10-08 23:31:24 ----SHD---- C:\System Volume Information
2008-10-08 23:31:24 ----DC---- C:\WINDOWS\system32\Restore
2008-10-08 23:27:28 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-07 14:19:40 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-10-03 12:41:15 ----AC---- C:\WINDOWS\system32\ieframe.dll
2008-09-25 19:33:29 ----DC---- C:\WINDOWS\Microsoft.NET
2008-09-25 19:33:19 ----RSDC---- C:\WINDOWS\assembly
2008-09-25 18:16:14 ----DC---- C:\WINDOWS\system32\mui

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ShldDrv;Panda File Shield Driver; C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2007-01-16 17801]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-04 87424]
R2 LxrSII1d;Secure II Driver; \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys []
R2 PAVDRV;pavdrv; C:\WINDOWS\system32\DRIVERS\pavdrv51.sys [2008-04-28 84024]
R2 PavProc;Panda Process Protection Driver; \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys []
R3 BLKWGN;Belkin Wireless G Notebook Card Service; C:\WINDOWS\System32\DRIVERS\BLKWGN.sys [2005-06-02 463872]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 ComFiltr;Panda Anti-Dialer; \??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver; C:\WINDOWS\system32\drivers\cwbmidi.sys [2001-08-17 3072]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver; C:\WINDOWS\system32\drivers\cwbwdm.sys [2001-08-17 72832]
R3 KMW_KBD;Kensington Input Devices Class filter driver; C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys [2005-09-01 5760]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver; C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys [2005-09-01 92032]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 neo20xx;neo20xx; C:\WINDOWS\System32\DRIVERS\neo20xx.sys [2001-08-17 39264]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 PavTPK.sys;PavTPK.sys; \??\C:\WINDOWS\system32\PavTPK.sys []
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 ThinkPadDSP;ThinkPad DSP Driver Service; C:\WINDOWS\System32\DRIVERS\mwwdm.sys [1999-09-24 39200]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver; \??\C:\WINDOWS\System32\wlanndi5.SYS []
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\DSB650TX.sys [2001-09-25 26958]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS []
S3 TwoTrack;IBM PS/2 TrackPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\TwoTrack.sys [2001-08-17 11520]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys []
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\acs.exe [2005-05-05 36864]
R2 Gwmsrv;Panda Goodware Cache Manager; C:\WINDOWS\system32\svchost -k Panda []
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Panda Software Controller;Panda Software Controller; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe [2008-07-16 181504]
R2 PAVFNSVR;Panda Function Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe [2008-07-10 169216]
R2 PavPrSrv;Panda Process Protection Service; C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe [2008-02-04 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe [2008-07-04 288512]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-05 177704]
R2 PSIMSVC;Panda IManager Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe [2008-06-19 108288]
R2 PskSvcRetail;Panda PSK service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R2 ThinkPadModemService;ThinkPad Modem Service; C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE [1999-09-24 50688]
R2 TPSrv;Panda TPSrv; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe [2008-07-17 157440]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 LxrSII1s;Lexar Secure II; C:\WINDOWS\SYSTEM32\LxrSII1s.exe [2006-01-09 49152]

-----------------EOF-----------------
------------------------------------------------------------------------------------------

info.txt logfile of random's system information tool 1.04 2008-10-21 01:50:55

======Uninstall list======

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Kensington MouseWorks-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C78937F-0C8E-11D9-A3EB-0001025FA304}\setup.exe" -l0x9 -u
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
Panda Antivirus Pro 2009-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E55FB276-73C9-4776-AB53-BC028C0509ED}\SETUP.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Update for Windows XP (KB914882)-->"C:\WINDOWS\$NtUninstallKB914882$\spuninst\spuninst.exe"
Update for Windows XP (KB923845)-->"C:\WINDOWS\$NtUninstallKB923845$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: Panda Antivirus Pro 2009

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;C:\Program Files\Panda Security\Panda Antivirus Pro 2009\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 10, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=060a
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------

------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.29
Database version: 1304
Windows 5.1.2600 Service Pack 2

10/20/2008 5:58:07 PM
mbam-log-2008-10-20 (17-58-07).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 62586
Time elapsed: 40 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ce7c3cf0-4b15-11d1-abed-709549c10000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winth87 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\toprates.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wines55 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winex76 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winkc11 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winoa65 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winod76 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winpl11 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winqc76 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winrf88 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsl22 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winwo32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winxp76 (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{040ba7f9-cdc9-4f2a-bafd-5b13501b2dad} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55277-OEM-0015001-67371) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\Winth87.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Wines55.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winex76.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winkc11.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winoa65.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winod76.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winpl11.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winqc76.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winrf88.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winsl22.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winwo32.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\Winxp76.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 22nd, 2008, 9:36 am

Step 1:
  1. Download ERUNT from here
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  2. Install ERUNT by double clicking it and then following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option at a later date)
  3. Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  4. Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  5. Make sure that at least the first two check boxes are ticked which are System registry and Current user registry
  6. Press OK
  7. Press YES to create the folder.


Step 2:
Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C7270B-ECE9-4FA8-A203-4A2C2D366128}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{65952D7F-B04B-4D60-99FF-77662FE2D2EF}

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBtRiGX]

:commands
[emptytemp]
[reboot]

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3


Step 3:
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.


Step 4:
Please download DirLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
Link 3
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    C:\c5cef3b1b7bbe749ffe40a31eec4

  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
Note: Scanning may take longer for large folders.


Step 5:
Run random's system information tool (RSIT.exe) by double clicking it and post the following into your next reply:
  • The OTMoveit3 results
  • The NOD32 scan results
  • A new RSIT.exe log
  • The DirLook results
Also let me know how your computer is running.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 25th, 2008, 1:11 pm

Hi steeldarkstar, do you still need any help?
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 26th, 2008, 1:03 am

sorry for the delay but I just got it booted up I dont know what happened but I shut it off after my last post and it would just restart over and over just past the windows logon loading bars just before the desktop starts to show I kept booting it this afternoon and it finally started but the mouse program (External) would not work but after 8 or so more restarts it accepted the external mouse program and I am here now I am sorry thats never happened before, I want you to know I do appreciate the help greatly and I would be lost without your help. so now I am going to resume with your last directions so here goes, once again Thanks I got this problem fixed if you will see my last post here it will explain what happened.
Last edited by steeldarkstar on October 26th, 2008, 3:16 am, edited 1 time in total.
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 26th, 2008, 2:57 am

Downloaded & Ran ERUNT
--------------------------------------------

Downloaded OTMoveIt3 and installed it I copied & pasted the entries as you asked then pressed move some of the entry stayed on the pasted side and somethings showed up on the side I was to copy and send back as you asked when I tried to copy the entries the program itself locked up and would not let me copy it & when I tried to close it the program would not close I had to close it using the taskmaster I tried to run it again and again it did the same thing with the entries & again it locked up so I closed it and went on to the next step below I hope that was OK
----------------------------------------------------------------------------

Eset NOD32 Online AntiVirus
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3555 (20081025)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=780c26db6a6c324c849605982687d4ef
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-26 06:35:25
# local_time=2008-10-26 01:35:25 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=64521
# found=0
# scan_time=2753
-----------------------------------------------------------------------------

DirLook.exe v2.0 by jpshortstuff
Log created at 01:46 on 26/10/2008
==================================
Contents of "C:\c5cef3b1b7bbe749ffe40a31eec4"

---FOLDERS---

de-at (Created on 14/09/2008 at 23:27) d----c
de-ch (Created on 14/09/2008 at 23:27) d----c
de-de (Created on 14/09/2008 at 23:27) d----c
en-au (Created on 14/09/2008 at 23:27) d----c
en-ca (Created on 14/09/2008 at 23:27) d----c
en-gb (Created on 14/09/2008 at 23:27) d----c
en-hk (Created on 14/09/2008 at 23:27) d----c
en-ie (Created on 14/09/2008 at 23:27) d----c
en-in (Created on 14/09/2008 at 23:27) d----c
en-nz (Created on 14/09/2008 at 23:27) d----c
en-sg (Created on 14/09/2008 at 23:27) d----c
es-es (Created on 14/09/2008 at 23:27) d----c
es-mx (Created on 14/09/2008 at 23:27) d----c
es-us (Created on 14/09/2008 at 23:27) d----c
fr-be (Created on 14/09/2008 at 23:27) d----c
fr-ca (Created on 14/09/2008 at 23:27) d----c
fr-ch (Created on 14/09/2008 at 23:27) d----c
fr-fr (Created on 14/09/2008 at 23:27) d----c
it-it (Created on 14/09/2008 at 23:27) d----c
ja-jp (Created on 14/09/2008 at 23:27) d----c
ja-jp-psloc (Created on 14/09/2008 at 23:27) d----c
ko-kr (Created on 14/09/2008 at 23:27) d----c
nl-be (Created on 14/09/2008 at 23:27) d----c
nl-nl (Created on 14/09/2008 at 23:27) d----c
pt-br (Created on 14/09/2008 at 23:27) d----c

---FILES---

microsoft.vc80.atl.manifest (456 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
microsoft.vc80.crt.manifest (522 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
msvcp80.dll (548864 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
msvcr80.dll (626688 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
ochelpagent.dll (70184 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
ocsetup.exe (370728 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
ocsetup.PIF (2855 bytes - created on 26/09/2008 at 02:01, modified on 26/09/2008 at 02:04) --a--c
ocsetupro.dll (124968 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
winsscommon.dll (263720 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c
winssplatform.dll (597544 bytes - created on 08/08/2008 at 21:49, modified on 08/08/2008 at 21:49) --a--c

==================================
=EOF=
--------------------------------------------------------------------------

Logfile of random's system information tool 1.04 (written by random/random)
Run by danny at 2008-10-26 01:50:20
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 15 GB (80%) free of 19 GB
Total RAM: 191 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:43 AM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\apvxdwin.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\Documents and Settings\danny\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\danny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=78622&mkt=en-us
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1767666652
O20 - Winlogon Notify: geBtRiGX - geBtRiGX.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 5747 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Modem Update Reminder"=C:\WINDOWS\MWW32\manager\mwremind.exe [1999-04-01 202752]
"bcmwltry"=C:\WINDOWS\SYSTEM32\bcmwltry.exe [2003-07-25 462848]
"RemoveCpl"=C:\WINDOWS\SYSTEM32\RemoveCpl.exe [2003-01-15 24576]
"kmw_run.exe"=C:\WINDOWS\SYSTEM32\kmw_run.exe [2005-09-01 118784]
"APVXDWIN"=C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE [2008-07-16 857344]
"SCANINICIO"=C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe [2008-07-07 50432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
ThinkPad Modem Copyright.lnk - C:\WINDOWS\MWW32\manager\mwcpyrt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]
C:\WINDOWS\SYSTEM32\avldr.dll [2008-03-18 58672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geBtRiGX]
geBtRiGX.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.js - open - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*
.vbs - open - C:\PROGRA~1\PANDAS~1\PANDAA~1\PAVSCRIP.EXE "%1" %*

======List of files/folders created in the last 1 months======

2008-10-26 01:46:56 ----AC---- C:\DirLook.txt
2008-10-26 00:39:06 ----DC---- C:\Program Files\EsetOnlineScanner
2008-10-26 00:20:15 ----DC---- C:\_OTMoveIt
2008-10-26 00:16:13 ----DC---- C:\WINDOWS\ERDNT
2008-10-26 00:13:58 ----DC---- C:\Program Files\ERUNT
2008-10-21 01:50:15 ----DC---- C:\rsit
2008-10-20 18:00:13 ----AC---- C:\WINDOWS\system32\lvkpc.txt
2008-10-20 17:10:31 ----DC---- C:\Documents and Settings\danny\Application Data\Malwarebytes
2008-10-20 17:10:12 ----DC---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-20 17:10:11 ----DC---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-16 16:12:33 ----DC---- C:\Program Files\Trend Micro
2008-10-16 13:10:47 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 13:09:24 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 13:07:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 13:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 13:00:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-09 12:49:04 ----DC---- C:\Documents and Settings\danny\Application Data\Macromedia
2008-10-09 12:49:03 ----DC---- C:\Documents and Settings\danny\Application Data\Adobe

======List of files/folders modified in the last 1 months======

2008-10-26 01:46:15 ----DC---- C:\WINDOWS\Prefetch
2008-10-26 00:39:06 ----RDC---- C:\Program Files
2008-10-26 00:38:08 ----SDC---- C:\WINDOWS\Downloaded Program Files
2008-10-26 00:38:03 ----DC---- C:\WINDOWS\system32
2008-10-26 00:33:23 ----DC---- C:\WINDOWS\Temp
2008-10-26 00:16:13 ----DC---- C:\WINDOWS
2008-10-26 00:07:18 ----DC---- C:\WINDOWS\system32\CatRoot2
2008-10-24 23:31:13 ----AC---- C:\WINDOWS\TMP0001.TMP
2008-10-24 23:23:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-24 23:17:22 ----AD---- C:\WINDOWS\system32\drivers
2008-10-18 16:04:55 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-18 14:11:40 ----DC---- C:\WINDOWS\inf
2008-10-16 15:38:47 ----DC---- C:\Program Files\Windows Live Safety Center
2008-10-16 13:58:08 ----AC---- C:\WINDOWS\system.ini
2008-10-16 13:25:11 ----D---- C:\c5cef3b1b7bbe749ffe40a31eec4
2008-10-16 13:10:42 ----HDC---- C:\WINDOWS\$hf_mig$
2008-10-16 13:10:06 ----AC---- C:\WINDOWS\imsins.BAK
2008-10-16 13:04:51 ----DC---- C:\Program Files\Internet Explorer
2008-10-16 13:03:22 ----DC---- C:\WINDOWS\ie7updates
2008-10-15 17:28:36 ----DC---- C:\WINDOWS\system32\Macromed
2008-10-15 15:42:59 ----SHDC---- C:\WINDOWS\Installer
2008-10-15 15:42:58 ----HDC---- C:\Config.Msi
2008-10-15 15:42:57 ----DC---- C:\Program Files\Common Files\Microsoft Shared
2008-10-12 12:22:10 ----DC---- C:\WINDOWS\Help
2008-10-11 15:19:54 ----DC---- C:\WINDOWS\Debug
2008-10-11 14:31:14 ----SDC---- C:\Documents and Settings\danny\Application Data\Microsoft
2008-10-09 14:16:41 ----DC---- C:\WINDOWS\system32\NtmsData
2008-10-08 23:38:00 ----SHDC---- C:\RECYCLER
2008-10-08 23:37:59 ----DC---- C:\Documents and Settings
2008-10-08 23:31:24 ----SHD---- C:\System Volume Information
2008-10-08 23:31:24 ----DC---- C:\WINDOWS\system32\Restore
2008-10-08 23:27:28 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-07 14:19:40 ----AC---- C:\WINDOWS\system32\MRT.exe
2008-10-03 12:41:15 ----AC---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ShldDrv;Panda File Shield Driver; C:\WINDOWS\System32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\System32\DRIVERS\AegisP.sys [2007-01-16 17801]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-04 87424]
R2 LxrSII1d;Secure II Driver; \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys []
R2 PAVDRV;pavdrv; C:\WINDOWS\system32\DRIVERS\pavdrv51.sys [2008-04-28 84024]
R2 PavProc;Panda Process Protection Driver; \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys []
R3 BLKWGN;Belkin Wireless G Notebook Card Service; C:\WINDOWS\System32\DRIVERS\BLKWGN.sys [2005-06-02 463872]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 ComFiltr;Panda Anti-Dialer; \??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver; C:\WINDOWS\system32\drivers\cwbmidi.sys [2001-08-17 3072]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver; C:\WINDOWS\system32\drivers\cwbwdm.sys [2001-08-17 72832]
R3 KMW_KBD;Kensington Input Devices Class filter driver; C:\WINDOWS\System32\DRIVERS\KMW_KBD.sys [2005-09-01 5760]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver; C:\WINDOWS\System32\DRIVERS\KMW_SYS.sys [2005-09-01 92032]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 neo20xx;neo20xx; C:\WINDOWS\System32\DRIVERS\neo20xx.sys [2001-08-17 39264]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 PavTPK.sys;PavTPK.sys; \??\C:\WINDOWS\system32\PavTPK.sys []
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 ThinkPadDSP;ThinkPad DSP Driver Service; C:\WINDOWS\System32\DRIVERS\mwwdm.sys [1999-09-24 39200]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver; \??\C:\WINDOWS\System32\wlanndi5.SYS []
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\DSB650TX.sys [2001-09-25 26958]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS []
S3 TwoTrack;IBM PS/2 TrackPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\TwoTrack.sys [2001-08-17 11520]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys []
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\WINDOWS\system32\acs.exe [2005-05-05 36864]
R2 Gwmsrv;Panda Goodware Cache Manager; C:\WINDOWS\system32\svchost -k Panda []
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Panda Software Controller;Panda Software Controller; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe [2008-07-16 181504]
R2 PAVFNSVR;Panda Function Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe [2008-07-10 169216]
R2 PavPrSrv;Panda Process Protection Service; C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe [2008-02-04 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe [2008-07-04 288512]
R2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-05 177704]
R2 PSIMSVC;Panda IManager Service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe [2008-06-19 108288]
R2 PskSvcRetail;Panda PSK service; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R2 ThinkPadModemService;ThinkPad Modem Service; C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE [1999-09-24 50688]
R2 TPSrv;Panda TPSrv; C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe [2008-07-17 157440]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S4 LxrSII1s;Lexar Secure II; C:\WINDOWS\SYSTEM32\LxrSII1s.exe [2006-01-09 49152]

-----------------EOF-----------------
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 26th, 2008, 3:09 am

Found out what repeated restart problem was, my alternate power supply cord was cracked/streched I repaired it and it starts fine now, so I will have no problem finishing your instructions in a prompt & timely fashion as you help me fix my computer. Funny thing though my clock was correct but the date was a day behind but I corrected it before I sent you the logs that you asked for just forgot to put it in my reply along with the logs.
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 26th, 2008, 1:17 pm

I'm not sure what happened to OTMoveit3, it seemed to have worked for the most part except for one entry, which was just a leftover and can be fixed with HijackThis anyway. Things are looking much better, you could do with some extra RAM from the look of it, but it might not be any issue unless you were to start using some resource intensive programs.


Step 1:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O20 - Winlogon Notify: geBtRiGX - geBtRiGX.dll (file missing)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application and Restart your computer.


Step 2:
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm


Step 3:
  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

You can also delete Dirlook.exe and RSIT.exe as they are no longer needed and any logs produced. You can keep Malwarebytes and ERUNT if you find them useful.


Your logs are now clean. :D :D
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.

Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miek ... ntion.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby steeldarkstar » October 26th, 2008, 9:04 pm

I did as instructed with Hijack This, I Put a check beside, O20 - Winlogon Notify: geBtRiGX - geBtRiGX.dll (file missing)
-----------------------------------------
Created a new clean System Restore named (All Clean System Restore Point) & then did a disc cleanup & also Removed old System Restore points
-------------------------------------------------------------------
Ran OTMoveIt3.exe and clicked the CleanUp button
-----------------------------------------------------------
Deleted, Dirlook.exe and RSIT.exe, ERUNT and all other programs Except, Malwarebytes, & Highjack This I will delete this later ?, I am concerned about installing Microsoft Service Pack 3 do I need it as I had major problems installing it on my desktop PC and that computer has the same size (GB) disk space and runs the same programs as I had on this computer before I uninstalled them and after we repair this one you are helping me with I will put the programs back on this disc (Corel photo studio, Adobe 3D studio and a few other) non problem oriented programs
-----------------------------------------------------------------------------------------
Did this,
Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK
-----------------------------------------------------------------------------------------
I dont think the MVPS Hosts File was installed right (it was really hard just to find out where to click for the file download, also I hope I clicked the correct one) I followed all the instructions but found there were conflicting installation instructions, Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to Manual, (Have a look at this tutorial to help you get started with the program - This was a dead link) (on the site it says to change it to manual & on XP recomend Disabled) this didnt make any sense plus they had no instructions for using Winrar on the zip download ? is there any way to find out if I installed it correctly ?
-----------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:28 AM, on 10/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\danny\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=78622&mkt=en-us
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINDOWS\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\manager\mwcpyrt.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1767666652
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/ ... 586-jc.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINDOWS\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 6829 bytes

-------------------------------------------------------------------------------------

I installed winpatrol and installed Secunia "PSI" Software Inspector & Added ESET Online Scanner (just the link) to my all Programs on the start menu (just Pasted a shortcut to the website) in the folder (documents and settings\danny\start menu\programs). please let me know how its looking , also the computer is running very slow as it takes a long time for a page to load.

Also can you tell me what these files are and why I cannot Delete them it says (is not accessible-ACCESS IS DENIED) they are the ones that just appeared one day as I described in my first entry of this Post They are listed in Local Disk(C:) Folder 1c69e and these are inside it (7bc07bb, update)
Local Disk(C:) Folder c5cef3b1b7bbe749ffe40a31eec4 and inside it are lots of folders but I am locked out it says (is not accessible-ACCESS IS DENIED) the same thing pops up when I try to delete them (is not accessible-ACCESS IS DENIED) ? Thanks
steeldarkstar
Active Member
 
Posts: 8
Joined: October 16th, 2008, 3:38 pm
Location: TRF Mn

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby Rodav » October 27th, 2008, 3:51 pm

Hi,

Your computer still looks good from here, as I mentioned earlier you really could do with some extra RAM. It is recommended to run XP with at least 512 MB of RAM, as you can see you are a fair bit short of that: Total RAM: 191 MB (35% free)
This can cause issues particularly with speed if you are using numerous programs at one time or using a resource intensive program.

If you installed a large hosts file without changing your DNS Client settings as described it can seriously slow down your computer. I can check to see if you installed the MVPS hosts file correctly:

Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.

Code: Select all
cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"


Click OK, notepad will then open with your host file. It may take a few moments to appear if the MVPS hosts file is installed as it is quite big. It should look like this: http://www.mvps.org/winhelp2002/hosts.txt
If it does double check your DNS Client settings as described on the site:
# Start | Run (type) "services.msc" (no quotes)
# Scroll down to "DNS Client", Right-click and select: Properties
# Click the drop-down arrow for "Startup type"
# Select: Manual, or Disabled (recommended) click Apply/Ok and restart

If you don't have it installed let me know and I can guide you through it.


I didn't mean for you to install Secunia "PSI" Software Inspector, only to use their online OSI scanner. You should probably uninstall it as it may also cause slowdowns. An alternative which will do a similar job but may be less resource intensive for you is: http://www.f-secure.com/healthcheck

With regards to updating to SP3, I would recommend you update to it, as sooner or later you will have to if you wish to continue to receive updates. Whenever you do decide to update, make sure all your protection programs are disabled before you install it. Here's some info about SP3: http://www.bleepingcomputer.com/forums/topic146857.html

The folder c5cef3b1b7bbe749ffe40a31eec4 that you can't delete is from Windows Live One Care. Information about the errors you were getting and how to resolve it are here: http://support.microsoft.com/kb/810881
User avatar
Rodav
MRU Master Emeritus
 
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Fake microsoft style (warning shield popup) "VIRUS ALERT"

Unread postby NonSuch » November 1st, 2008, 4:28 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware