Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help
Reload this Page Fake antivirus popups, "cannot find logon.exe"
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
LinkBack Thread Tools
Old 09-19-2009, 12:30 PM   #1 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 4
OS: XP service pack 2


Fake antivirus popups, "cannot find logon.exe"
First: I downloaded and unzipped Gmer, but whenever I try to run it, the program looks like it starts scanning and then stops responding?

I keep getting ramdom popups telling me to buy fake antivirus software. Windows security center also will randomly pop up and then immediately close.

Windows is slow to start after rebooting and I get many error sounds as well as "cannot find logon.exe".

Thank you in advance!

Here is the DDS report

DDS (Ver_09-07-30.01) - NTFSx86
Run by Dakin at 13:44:33.21 on Sat 09/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2272 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dynex Wireless G Adapter\WLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dakin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe logon.exe
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6]
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ziyutitef] Rundll32.exe "c:\windows\system32\lipupara.dll",a
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: pikekise.dll c:\windows\system32\lipupara.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SystemLoading - {01EB8F3D-00A1-46D5-9EE7-4951D1823B66} - c:\documents and settings\all users\microsoft private data\microsoft\isannsdfak.dll
SSODL: nufekamal - {c894a8ee-f7b2-400c-b1ad-683f4b87f7b6} - c:\windows\system32\lipupara.dll
STS: kupuhivus: {c894a8ee-f7b2-400c-b1ad-683f4b87f7b6} - c:\windows\system32\lipupara.dll
LSA: Notification Packages = scecli tevaziva.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dakin\applic~1\mozilla\firefox\profiles\xdxve90y.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\dakin\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\dakin\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-7-16 31816]
R2 Dynex DX-WGDTC WLService;Dynex DX-WGDTC Service;c:\program files\dynex wireless g adapter\WLService.exe [2007-8-24 49152]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-4-18 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-7-16 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-7-16 54608]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-4-18 122368]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-8-30 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-8-30 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-8-30 174952]
S1 DW;DW; [x]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [2007-6-19 10368]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-4-18 245760]
S3 XDva037;XDva037;\??\c:\windows\system32\xdva037.sys --> c:\windows\system32\XDva037.sys [?]

=============== Created Last 30 ================

2009-09-19 04:35 381,952 a------- c:\windows\system32\wcenter.exe
2009-09-18 23:36 11,168 a---h--- c:\windows\system32\yudidezu
2009-09-18 21:01 61,440 a------- c:\windows\system32\drivers\fbeoux.sys
2009-09-18 15:44 <DIR> --d----- c:\program files\Trend Micro
2009-09-18 10:38 0 a------- c:\windows\system32\11478.exe
2009-09-18 10:28 51,197 a------- c:\windows\spool.exe
2009-09-18 10:28 47,872 a------- c:\windows\certificates.exe
2009-09-18 10:28 38,352 a------- c:\windows\regeditsys.exe
2009-09-18 10:28 33,149 a------- c:\windows\systemexplorer.exe
2009-09-18 10:28 28,320 a------- c:\windows\systemsecurity.com
2009-09-18 10:28 18,941 a------- c:\windows\microsoftreg.dll
2009-09-18 10:25 <DIR> --d----- c:\documents and settings\all users\Microsoft Private Data
2009-09-18 09:38 0 a------- c:\windows\system32\15724.exe
2009-09-18 08:38 0 a------- c:\windows\system32\19169.exe
2009-09-18 07:38 0 a------- c:\windows\system32\26500.exe
2009-09-18 06:37 0 a------- c:\windows\system32\6334.exe
2009-09-18 05:37 0 a------- c:\windows\system32\18467.exe
2009-09-18 04:37 0 a------- c:\windows\system32\41.exe
2009-09-08 15:37 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-19 11:37 89,088 a--sh--- c:\windows\system32\lipupara.dll
2009-09-19 11:37 37,888 a--sh--- c:\windows\system32\ninezoni.dll
2009-09-19 11:37 50,176 a--sh--- c:\windows\system32\vafubamu.dll
2009-09-19 11:37 91,136 a--sh--- c:\windows\system32\judinoyo.dll
2009-09-19 11:37 39,424 a--sh--- c:\windows\system32\depubedu.dll
2009-09-18 23:36 39,424 a--sh--- c:\windows\system32\pusogumu.dll
2009-09-18 23:36 91,136 a--sh--- c:\windows\system32\nijufagi.dll
2009-09-18 04:37 52,224 a--sh--- c:\windows\system32\remoyivi.dll
2009-09-18 04:36 39,424 a--sh--- c:\windows\system32\juviyame.dll
2009-09-18 03:16 38,644 a------- c:\docume~1\dakin\applic~1\wklnhst.dat
2009-08-21 05:46 450,560 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 12:00 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-18 12:00 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 09:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 04:17 729,600 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:17 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:17 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 04:17 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:17 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:17 56,320 a------- c:\windows\system32\secur32.dll
2009-06-25 04:17 729,600 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:17 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:17 168,448 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:17 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:17 59,392 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 04:17 56,320 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 07:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 07:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 07:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 07:40 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-06-22 07:35 92,544 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-01-15 18:25 76,032 a------- c:\docume~1\dakin\applic~1\GDIPFONTCACHEV1.DAT
2007-08-10 09:28 88 ---shr-- c:\windows\system32\18C0096FF8.sys
2007-07-25 08:00 56 ---shr-- c:\windows\system32\F86F09C018.sys
2009-06-19 11:37 50,176 a--sh--- c:\windows\system32\gobikose.dll
2008-05-21 10:25 6,372 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-06-19 11:37 50,176 a--sh--- c:\windows\system32\pikekise.dll
2009-06-19 11:37 50,176 a--sh--- c:\windows\system32\tevaziva.dll

============= FINISH: 13:45:32.84 ===============
Attached Files
File Type: rar Attach.rar (4.6 KB, 0 views)
mdakin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 09-19-2009, 11:58 PM   #2 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 4
OS: XP service pack 2


Re: Fake antivirus popups, "cannot find logon.exe"
Got GMER to work, here is the log. Sorry for the bump before 72 hours.
Attached Files
File Type: txt ark.txt (4.9 KB, 1 views)
mdakin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-20-2009, 10:54 AM   #3 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: Fake antivirus popups, "cannot find logon.exe"
Hi mdakin,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

** Note: Please stick with me until I declare that your system is free from malware. Even though your system may not have any symptoms of malware, it may still be infected. **

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Disable S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Also see this step-by-step tutorial: http://www.malwarehelp.org/how-to-en...-teatimer.html

Download http://s3.invisionfree.com/HijackThi...ost&id=8231698
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

--------------------------------------------------------------

  1. Download Combofix from any of the links below. You must rename it before saving it.

    * IMPORTANT !!! Place combo-fix.exe on your Desktop

    Link 1
    Link 2






    --------------------------------------------------------------
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combo-fix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





    Click on Yes, to continue scanning for malware.
  6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  7. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    --------------------------------------------------------------
  8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by forhockey; 09-20-2009 at 10:56 AM.
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-20-2009, 01:05 PM   #4 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 4
OS: XP service pack 2


Re: Fake antivirus popups, "cannot find logon.exe"
Thank you forhockey, here is the combofix log.

ComboFix 09-09-18.02 - Dakin 09/20/2009 14:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2429 [GMT -4:00]
Running from: c:\documents and settings\Dakin\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\cmnmon.exe
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\isannsdfak.dll
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\lan.dll
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\setup.exe
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\tr.c
c:\windows\certificates.exe
c:\windows\Installer\2c0ebca0.msp
c:\windows\kb913800.exe
c:\windows\microsoftreg.dll
c:\windows\regeditsys.exe
c:\windows\spool.exe
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\birefali.dll.tmp
c:\windows\system32\depubedu.dll
c:\windows\system32\Drivers\fbeoux.sys
c:\windows\system32\judinoyo.dll
c:\windows\system32\jukosuvi.dll.tmp
c:\windows\system32\juviyame.dll
c:\windows\system32\ninezoni.dll
c:\windows\system32\pusogumu.dll
c:\windows\system32\remoyivi.dll
c:\windows\system32\wcenter.exe
c:\windows\systemexplorer.exe
c:\windows\systemsecurity.com

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-19 17:47 . 2009-09-19 17:47 -------- d-----w- c:\documents and settings\Dakin\Local Settings\Application Data\Help
2009-09-18 19:44 . 2009-09-18 19:44 -------- d-----w- c:\program files\Trend Micro
2009-09-08 19:37 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 18:16 . 2006-07-09 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-19 15:37 . 2009-06-19 15:37 50176 --sha-w- c:\windows\system32\vafubamu.dll
2009-09-18 19:42 . 2009-01-30 06:52 -------- d-----w- c:\program files\Game Cam V2
2009-09-18 07:16 . 2006-06-13 16:39 38644 ----a-w- c:\documents and settings\Dakin\Application Data\wklnhst.dat
2009-09-15 01:49 . 2008-02-20 01:03 -------- d-----w- c:\program files\World of Warcraft
2009-09-09 06:03 . 2008-08-17 23:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-20 07:09 . 2009-08-20 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-11 15:02 . 2006-05-14 07:06 76032 ----a-w- c:\documents and settings\Dakin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 07:06 . 2009-08-11 07:06 -------- d-----w- c:\program files\MSBuild
2009-08-11 07:06 . 2009-08-11 07:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-11 07:01 . 2009-08-11 07:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-06 21:27 . 2009-08-06 21:27 -------- d-----w- c:\program files\CCleaner
2009-08-06 03:33 . 2006-09-19 16:56 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2005-08-16 09:18 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2005-08-16 09:18 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2005-08-16 09:18 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2005-08-16 09:18 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2005-08-16 09:18 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2005-08-16 09:18 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2005-08-16 09:18 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2005-08-16 09:18 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2005-08-16 09:18 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 2005-08-16 09:18 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2005-08-16 09:18 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2005-08-16 09:18 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2005-08-16 09:18 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:17 . 2005-08-16 09:18 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2005-08-16 09:18 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2005-08-16 09:18 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:17 . 2005-08-16 09:18 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-03-06 17:06 . 2009-03-06 17:06 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-06 17:06 . 2009-03-06 17:06 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-06 17:07 . 2009-03-06 17:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-04-29 20:00 . 2009-04-29 20:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-08-10 13:28 . 2006-05-08 15:53 88 --sh--r- c:\windows\system32\18C0096FF8.sys
2007-07-25 12:00 . 2006-05-18 15:58 56 --sh--r- c:\windows\system32\F86F09C018.sys
2009-06-19 15:37 . 2009-06-19 15:37 50176 --sha-w- c:\windows\system32\gobikose.dll
2008-05-21 14:25 . 2006-05-14 07:06 6372 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-05 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-27 169984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-18 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PI Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PI Monitor.lnk
backup=c:\windows\pss\PI Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145577435\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145577435\\ee\\aim6.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\WoW-0.1.0.9614-to-0.1.0.9626-enUS-downloader.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\WoW-0.1.0.9626-to-0.1.0.9637-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\ArcSoft\\PhotoImpression 5\\PI Monitor.exe"=
"c:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Dakin\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6881:TCP"= 6881:TCP:Blizzard port: 6881
"6882:TCP"= 6882:TCP:Blizzard port: 6882
"6883:TCP"= 6883:TCP:Blizzard port: 6883
"6884:TCP"= 6884:TCP:Blizzard port: 6884
"6885:TCP"= 6885:TCP:Blizzard port: 6885
"6886:TCP"= 6886:TCP:Blizzard port: 6886
"6887:TCP"= 6887:TCP:Blizzard port: 6887
"6888:TCP"= 6888:TCP:Blizzard port: 6888
"6889:TCP"= 6889:TCP:Blizzard port: 6889
"6890:TCP"= 6890:TCP:blizzard port
"6891:TCP"= 6891:TCP:6891

S1 DW;DW; [x]
S2 Dynex DX-WGDTC WLService;Dynex DX-WGDTC Service;c:\program files\Dynex Wireless G Adapter\WLService.exe [8/24/2007 4:29 PM 49152]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [6/19/2007 7:59 PM 10368]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-09-20 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (THE-BEAST-Dakin).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-04-19 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: musicmatch.com\online
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Dakin\Application Data\Mozilla\Firefox\Profiles\xdxve90y.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Dakin\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Dakin\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
SharedTaskScheduler-{c894a8ee-f7b2-400c-b1ad-683f4b87f7b6} - (no file)
SSODL-SystemLoading-{01EB8F3D-00A1-46D5-9EE7-4951D1823B66} - c:\documents and settings\All Users\Microsoft Private Data\Microsoft\isannsdfak.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 14:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2984)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dynex Wireless G Adapter\WLanCfgG.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\McAfee\SpamKiller\MSKDetct.exe
c:\program files\McAfee\SpamKiller\MSKAgent.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\McAfee.com\Agent\mcupdate.exe
.
**************************************************************************
.
Completion time: 2009-09-20 14:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 18:57

Pre-Run: 66,358,083,584 bytes free
Post-Run: 66,835,300,352 bytes free

289 --- E O F --- 2009-09-09 05:45
mdakin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-20-2009, 01:49 PM   #5 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: Fake antivirus popups, "cannot find logon.exe"
Hi mdakin,

Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/415406-fake-antivirus-popups-cannot-find-logon-exe.html#post2350884

Collect::
c:\windows\system32\vafubamu.dll
c:\windows\system32\18C0096FF8.sys
c:\windows\system32\F86F09C018.sys
c:\windows\system32\gobikose.dll
Save this as CFScript.txt




** Disable your AntiVirus before continuing these isntructions**

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


Follow the prompts, and post the resulting log, C:\ComboFix.txt

Also, update me on how your system is behaving.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-25-2009, 11:12 PM   #6 (permalink)
Registered User
 
Join Date: Sep 2009
Posts: 4
OS: XP service pack 2


Re: Fake antivirus popups, "cannot find logon.exe"
Sorry for the delay in updating. My system is still a bit slow on start up, but I'm not getting "cannot find logon.exe" anymore. I'll also still get random popups from time to time, and today another fake antivirus software tried to install itself. Here is the log:

ComboFix 09-09-18.02 - Dakin 09/26/2009 1:01.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2489 [GMT -4:00]
Running from: c:\documents and settings\Dakin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dakin\Desktop\CFScript.txt.txt
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

file zipped: c:\windows\system32\18C0096FF8.sys
file zipped: c:\windows\system32\F86F09C018.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\18C0096FF8.sys
c:\windows\system32\F86F09C018.sys

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-26 01:50 . 2009-09-26 01:50 -------- d-----w- c:\windows\system32\Adobe
2009-09-20 22:46 . 2009-09-20 22:50 -------- d-----w- C:\Combo-Fix
2009-09-19 17:47 . 2009-09-19 17:47 -------- d-----w- c:\documents and settings\Dakin\Local Settings\Application Data\Help
2009-09-18 19:44 . 2009-09-18 19:44 -------- d-----w- c:\program files\Trend Micro
2009-09-08 19:37 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 17:28 . 2008-02-20 01:03 -------- d-----w- c:\program files\World of Warcraft
2009-09-25 15:53 . 2006-06-13 16:39 38648 ----a-w- c:\documents and settings\Dakin\Application Data\wklnhst.dat
2009-09-20 18:16 . 2006-07-09 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-18 19:42 . 2009-01-30 06:52 -------- d-----w- c:\program files\Game Cam V2
2009-09-09 06:03 . 2008-08-17 23:59 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-20 07:09 . 2009-08-20 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-11 15:02 . 2006-05-14 07:06 76032 ----a-w- c:\documents and settings\Dakin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 07:06 . 2009-08-11 07:06 -------- d-----w- c:\program files\MSBuild
2009-08-11 07:06 . 2009-08-11 07:06 -------- d-----w- c:\program files\Reference Assemblies
2009-08-11 07:01 . 2009-08-11 07:01 -------- d-----w- c:\program files\MSXML 6.0
2009-08-06 21:27 . 2009-08-06 21:27 -------- d-----w- c:\program files\CCleaner
2009-08-06 03:33 . 2006-09-19 16:56 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-03-06 17:06 . 2009-03-06 17:06 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-06 17:06 . 2009-03-06 17:06 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-06 17:07 . 2009-03-06 17:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-04-29 20:00 . 2009-04-29 20:00 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-05-21 14:25 . 2006-05-14 07:06 6372 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-20_18.53.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-26 01:50 . 2009-09-26 01:50 87617 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-21 08:02 . 2009-07-21 08:02 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-07-21 06:59 . 2009-07-21 06:59 79488 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-07-21 08:04 . 2009-07-21 08:04 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-07-21 06:59 . 2009-07-21 06:59 132472 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 2009-07-21 08:07 . 2009-07-21 08:07 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-07-21 08:17 . 2009-07-21 08:17 468408 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe
+ 2009-07-21 08:07 . 2009-07-21 08:07 446464 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-07-21 08:02 . 2009-07-21 08:02 372736 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-07-21 06:59 . 2009-07-21 06:59 714752 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-07-21 08:04 . 2009-07-21 08:04 614400 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-07-21 08:18 . 2009-07-21 08:18 206264 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2009-07-21 08:03 . 2009-07-21 08:03 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-07-21 07:07 . 2009-07-21 07:07 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-07-21 06:59 . 2009-07-21 06:59 1886320 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-07-21 07:12 . 2009-07-21 07:12 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-05 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-18 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PI Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PI Monitor.lnk
backup=c:\windows\pss\PI Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145577435\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145577435\\ee\\aim6.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlccPSWX.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\WoW-0.1.0.9614-to-0.1.0.9626-enUS-downloader.exe"=
"c:\\Documents and Settings\\Dakin\\My Documents\\PTR\\World of Warcraft Public Test\\WoW-0.1.0.9626-to-0.1.0.9637-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\ArcSoft\\PhotoImpression 5\\PI Monitor.exe"=
"c:\\Program Files\\Dell Photo AIO Printer 924\\dlccmon.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Documents and Settings\\Dakin\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6881:TCP"= 6881:TCP:Blizzard port: 6881
"6882:TCP"= 6882:TCP:Blizzard port: 6882
"6883:TCP"= 6883:TCP:Blizzard port: 6883
"6884:TCP"= 6884:TCP:Blizzard port: 6884
"6885:TCP"= 6885:TCP:Blizzard port: 6885
"6886:TCP"= 6886:TCP:Blizzard port: 6886
"6887:TCP"= 6887:TCP:Blizzard port: 6887
"6888:TCP"= 6888:TCP:Blizzard port: 6888
"6889:TCP"= 6889:TCP:Blizzard port: 6889
"6890:TCP"= 6890:TCP:blizzard port
"6891:TCP"= 6891:TCP:6891

S1 DW;DW; [x]
S2 Dynex DX-WGDTC WLService;Dynex DX-WGDTC Service;c:\program files\Dynex Wireless G Adapter\WLService.exe [8/24/2007 4:29 PM 49152]
S3 dwusbdnt;dwusbdnt;c:\windows\system32\drivers\dwusbdnt.sys [6/19/2007 7:59 PM 10368]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-09-25 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (THE-BEAST-Dakin).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-04-19 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = *.local
Trusted Zone: musicmatch.com\online
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\Dakin\Application Data\Mozilla\Firefox\Profiles\xdxve90y.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Dakin\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\Dakin\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 01:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-26 1:08
ComboFix-quarantined-files.txt 2009-09-26 05:08
ComboFix2.txt 2009-09-20 18:57

Pre-Run: 66,298,257,408 bytes free
Post-Run: 66,261,442,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

230 --- E O F --- 2009-09-09 05:45
Upload was successful
mdakin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-27-2009, 10:24 AM   #7 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,947
OS: Windows 7 Ultimate


Re: Fake antivirus popups, "cannot find logon.exe"
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Fullscan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:51 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85