Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Popunders and can't update Windows XP
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-09-2008, 09:23 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Popunders and can't update Windows XP
Hi

I hope I’ve added and attached the logs you want. The problem I have is continual adverts which appear as full screen underneath the open window. Additionally I cannot install Windows updates. I’m running Computer Associates anti virus/spam/firewall suite which doesn’t report a problem. I thought at first I had a problem with Windows itself so re-installed it – maybe this was the wrong thing to do! It hasn’t really made any difference, the adverts keep appearing and I still can’t install Windows updates.

Thanks for looking at this

Ian



;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-08 23:23:38
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
CA Anti-Virus 8.4.0.28 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\ian and joelle.ian-7530fc48f2f\favorites\insurance
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\ian and joelle.ian-7530fc48f2f\favorites\health
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Cookies\ian_and_joelle@anm.co[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Cookies\ian_and_joelle@adtech[1].txt
02094010 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{AF248356-1CAA-4B9B-8FD4-0D3FE5106A0E}\RP33\A0001788.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location WZ
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description WZ
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 WZ
184379 MEDIUM MS08-001 WZ
182048 HIGH MS07-069 WZ
182046 HIGH MS07-067 WZ
182043 HIGH MS07-064 WZ
179553 HIGH MS07-061 WZ
176382 HIGH MS07-057 WZ
176383 HIGH MS07-058 WZ
170911 HIGH MS07-050 WZ
170907 HIGH MS07-046 WZ
170906 HIGH MS07-045 WZ
170904 HIGH MS07-043 WZ
164915 HIGH MS07-035 WZ
164913 HIGH MS07-033 WZ
164911 HIGH MS07-031 WZ
160623 HIGH MS07-027 WZ
157262 HIGH MS07-022 WZ
157261 HIGH MS07-021 WZ
157260 HIGH MS07-020 WZ
157259 HIGH MS07-019 WZ
156477 HIGH MS07-017 WZ
150253 HIGH MS07-016 WZ
150249 HIGH MS07-013 WZ
150248 HIGH MS07-012 WZ
150247 HIGH MS07-011 WZ
150243 HIGH MS07-008 WZ
150242 HIGH MS07-007 WZ
150241 MEDIUM MS07-006 WZ
145501 HIGH MS07-004 WZ
141034 HIGH MS06-076 WZ
141033 MEDIUM MS06-075 WZ
137571 HIGH MS06-070 WZ
133387 MEDIUM MS06-065 WZ
133386 MEDIUM MS06-064 WZ
133385 MEDIUM MS06-063 WZ
133379 HIGH MS06-057 WZ
129977 MEDIUM MS06-053 WZ
129976 MEDIUM MS06-052 WZ
126093 HIGH MS06-051 WZ
126092 MEDIUM MS06-050 WZ
126087 HIGH MS06-046 WZ
126086 MEDIUM MS06-045 WZ
126082 HIGH MS06-041 WZ
126081 HIGH MS06-040 WZ
123421 HIGH MS06-036 WZ
123420 HIGH MS06-035 WZ
120825 MEDIUM MS06-032 WZ
120823 MEDIUM MS06-030 WZ
120818 HIGH MS06-025 WZ
120815 HIGH MS06-022 WZ
117384 MEDIUM MS06-018 WZ
114666 HIGH MS06-015 WZ
108744 MEDIUM MS06-008 WZ
108743 MEDIUM MS06-007 WZ
108742 MEDIUM MS06-006 WZ
104567 HIGH MS06-002 WZ
104237 HIGH MS06-001 WZ
96574 HIGH MS05-053 WZ
93395 HIGH MS05-051 WZ
93394 HIGH MS05-050 WZ
93454 MEDIUM MS05-049 WZ
;===================================================================================================================================================================================


Deckard's System Scanner v20071014.68
Run by Ian and Joelle on 2008-06-09 16:00:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
46: 2008-06-09 15:00:28 UTC - RP46 - Deckard's System Scanner Restore Point
45: 2008-06-08 16:51:29 UTC - RP45 - Unsigned driver install
44: 2008-06-08 08:39:51 UTC - RP44 - Software Distribution Service 3.0
43: 2008-06-08 08:29:35 UTC - RP43 - Software Distribution Service 3.0
42: 2008-06-08 08:29:14 UTC - RP42 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-05 15:40:50 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 16:02:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Retrospect\Retrospect Express HD 1.1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\Khooker.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2J1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Logishrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dl...grateVisitor=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [cemqkoq] c:\documents and settings\ian and joelle.ian-7530fc48f2f\local settings\application data\cemqkoq.exe cemqkoq
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - (no file)
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/appl...orLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194202916155
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...2/axofupld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logishrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxSyncService (NTService1) - Unknown owner - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\Program Files\Retrospect\Retrospect Express HD 1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\Program Files\Retrospect\Retrospect Express HD 1.1\retrorun.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe


--
End of file - 13825 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 SiSEsc (SISLIB_ESC) - c:\windows\system32\sisesc.sys
R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS (R) WindowsXP Display Manager>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 EL2000 (3Com 3C2000x EtherLink XL Adapter) - c:\windows\system32\drivers\el2k_xp.sys <Not Verified; 3Com Corporation; 3Com Gigabit NIC (3C2000 Family)>

S2 tcaicchg - c:\windows\system32\tcaicchg.sys (file missing)
S2 TCAITDI (TCAITDI Protocol) - c:\windows\system32\drivers\tcaitdi.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 NTService1 (MaxSyncService) - "c:\program files\maxtor\onetouch\utils\syncservices.exe" <Not Verified; ; SyncServices>
R2 RetroExpLauncher (Retrospect Express HD Launcher) - c:\progra~1\retros~1\retros~1.1\retrorun.exe <Not Verified; EMC Dantz; Retrospect Express HD>

S2 RetroExp Helper (Retrospect Express HD Helper) - "c:\program files\retrospect\retrospect express hd 1.1\rthlpsvc.exe" <Not Verified; EMC Dantz; Retrospect Express HD>
S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_1813&DEV_4000&SUBSYS_00000000&REV_02\4&1F7DBC9F&0&48F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_1813&DEV_4000&SUBSYS_00000000&REV_02\4&1F7DBC9F&0&48F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-09 15:33:39 440 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{7EEAB4C9-F007-42E5-81E9-E64DBFE80633}.job
2008-06-09 15:32:30 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-04 17:39:56 474 --a------ C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ian and Joelle at 17 39.job
2008-06-02 14:30:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-08 17:43:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-07 23:36:24 0 d-------- C:\ie-spyad_zo
2008-06-07 23:26:32 0 d-------- C:\Program Files\SpywareBlaster
2008-06-07 22:03:31 0 d-------- C:\Program Files\Panda Security
2008-06-06 15:12:11 0 d-------- C:\Program Files\Lavasoft
2008-06-06 15:11:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 1602 0 d-------- C:\WINDOWS\Prefetch
2008-06-03 12:04:28 0 d-------- C:\Program Files\Windows Defender
2008-06-02 17:39:07 172032 --a------ C:\WINDOWS\system32\binkw32.dll
2008-06-01 17:28:13 80896 --a------ C:\WINDOWS\system32\Winstr.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-01 17:28:13 89600 --a------ C:\WINDOWS\system32\Winsdec.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-01 17:28:13 60416 --a------ C:\WINDOWS\system32\Winplay.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-01 17:28:13 117248 --a------ C:\WINDOWS\system32\Edec.dll <Not Verified; EIDOS Technologies; ESCAPE VideoStudio 2.0>
2008-06-01 17:28:13 98816 --a------ C:\WINDOWS\system32\Dec130.dll <Not Verified; Eidos plc; ESCAPE VideoStudio 2.0>
2008-06-01 17:28:13 0 d-------- C:\Program Files\Core Design
2008-06-01 17:02:09 0 d-------- C:\TOMBRAID
2008-05-29 16:52:52 0 d-------- C:\Program Files\PestPatrol
2008-05-28 17:55:26 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-27 14:42:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-26 00:02:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
2008-05-25 12:24:36 0 d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\MysteryStudio
2008-05-23 18:52:20 0 d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\SultansLabyrinth
2008-05-22 22:41:33 0 d-------- C:\Program Files\InternetGameBox
2008-05-14 20:34:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildTangent


-- Find3M Report ---------------------------------------------------------------

2008-06-09 15:56:37 0 d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\Skype
2008-06-09 15:31:17 0 d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\skypePM
2008-06-06 15:11:35 0 d-------- C:\Program Files\Common Files
2008-06-05 15:54:21 23312 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-21 17:43:05 0 d-------- C:\Program Files\Bonusprint PhotoBook Editor
2008-05-21 17:39:11 0 d-------- C:\Program Files\Yahoo!
2008-04-30 23:50:23 0 d-------- C:\Program Files\PopCap Games
2008-04-30 23:44:02 0 d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\Yahoo!
2008-04-30 23:43:40 0 d-------- C:\Program Files\Yahoo! Games
2008-04-19 11:27:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 1825 0 d-------- C:\Program Files\Java
2008-04-12 01:18:23 0 d-------- C:\Program Files\bfgclient


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG -on" []
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [09/04/2003 08:44]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [16/08/2007 22:25]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [11/10/2007 16:03]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [20/08/2007 13:42]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [22/05/2008 15:55]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [22/05/2008 15:55]
"@"="" []
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [22/05/2008 15:55]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.exe" [07/08/2003 03:00]
"RegistryMechanic"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [10/03/2004 16:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/10/2007 17:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/10/2007 17:37]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [20/09/2007 09:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/02/2008 00:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 14:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"SoundMan"="SOUNDMAN.EXE" [27/02/2003 07:29 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 13:00]
"BBC Alerts"="C:\Program Files\BBC Alerts\BBC_Alerts.exe" [11/01/2008 13:35]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [01/02/2008 18:22]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [14/07/2007 00:26]
"cemqkoq"="c:\documents and settings\ian and joelle.ian-7530fc48f2f\local settings\application data\cemqkoq.exe" [05/06/2008 22:46]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
EPSON SMART PANEL for Scanner.lnk - C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe [13/12/2004 18:42:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [23/11/2004 17:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 18/05/2007 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe /h




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8554 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-09 16:04:43 ------------
Attached Files
File Type: txt extra.txt (20.5 KB, 1 views)
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-13-2008, 04:19 AM   #2 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP - Bump, please
I've "bumped" this though I realise you are very busy - it's obvious from the number of posts.

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2008, 08:47 AM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2008, 01:15 PM   #4 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hello again

I've run CombFix and attached the log. I tried to run Panda ActiveScan again, twice, but both times it exited partway through back to my desktop without completing so can't add a log from that.

Regards

Ian


ComboFix 08-06-11.7 - Ian and Joelle 2008-06-13 16:53:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1879 [GMT 1:00]
Running from: C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Desktop\internetgamebox.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox\InternetGameBox.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox\Privacy Policy.url
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox\Terms and Conditions.url
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox\Uninstall.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\InternetGameBox\Website.url
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\cemqkoq.dat
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\cemqkoq.exe
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\cemqkoq_nav.dat
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\cemqkoq_navps.dat
C:\Program Files\internetgamebox
C:\Program Files\internetgamebox\InternetGameBox.exe
C:\Program Files\internetgamebox\language
C:\Program Files\internetgamebox\ressources\AttenteOff.html
C:\Program Files\internetgamebox\ressources\AttenteOn.html
C:\Program Files\internetgamebox\ressources\configv2_en.xml
C:\Program Files\internetgamebox\ressources\configv2_es.xml
C:\Program Files\internetgamebox\ressources\configv2_fr.xml
C:\Program Files\internetgamebox\ressources\favoris\defaultv2.swf
C:\Program Files\internetgamebox\skins\skinv2.skn
C:\Program Files\internetgamebox\uninst.exe
C:\WINDOWS\Fonts\CALIBRIB.TTF

.
((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 )))))))))))))))))))))))))))))))
.

2008-06-12 19:43 . 2008-06-12 19:43 <DIR> d-------- C:\Program Files\Sierra On-Line
2008-06-12 19:42 . 2008-06-12 19:43 388 --a------ C:\WINDOWS\SIERRA.INI
2008-06-10 21:38 . 2008-06-10 21:38 <DIR> d-------- C:\Program Files\Nelson Thornes
2008-06-09 15:59 . 2008-06-09 15:59 <DIR> d-------- C:\Deckard
2008-06-08 17:43 . 2008-06-10 20:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-07 23:36 . 2008-06-07 23:36 <DIR> d-------- C:\ie-spyad_zo
2008-06-07 23:26 . 2008-06-07 23:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-07 22:03 . 2008-06-07 22:03 <DIR> d-------- C:\Program Files\Panda Security
2008-06-06 15:12 . 2008-06-06 15:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-06 15:11 . 2008-06-06 15:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 16:01 . 2006-02-28 13:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-06-05 16:00 . 2006-02-28 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-05 15:59 . 2006-02-28 13:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-06-05 15:58 . 2006-02-28 13:00 290,816 --a--c--- C:\WINDOWS\system32\dllcache\adsiis51.dll
2008-06-05 15:58 . 2006-02-28 13:00 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx
2008-06-05 15:58 . 2006-02-28 13:00 43,520 --a--c--- C:\WINDOWS\system32\dllcache\admwprox.dll
2008-06-05 15:58 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll
2008-06-05 15:58 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-06-05 15:58 . 2003-03-24 16:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe
2008-06-05 15:58 . 2003-03-24 16:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2008-06-05 15:56 . 2008-06-05 15:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-06-05 15:55 . 2006-02-28 13:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-06-05 15:55 . 2008-06-05 15:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-06-05 15:55 . 2008-06-05 15:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-06-05 15:55 . 2008-06-05 15:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-06-05 15:55 . 2008-06-05 15:55 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-06-05 15:55 . 2008-06-05 15:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-06-05 15:53 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-06-05 15:53 . 2004-08-03 23:00 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-06-05 15:53 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-06-05 15:53 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-06-05 15:44 . 2006-02-28 13:00 1,086,058 -ra------ C:\WINDOWS\SET43.tmp
2008-06-05 15:44 . 2006-02-28 13:00 1,042,903 -ra------ C:\WINDOWS\SET40.tmp
2008-06-05 15:44 . 2006-02-28 13:00 14,573 -ra------ C:\WINDOWS\SET8B.tmp
2008-06-05 15:44 . 2006-02-28 13:00 13,753 -ra------ C:\WINDOWS\SET4F.tmp
2008-06-05 15:15 . 2006-02-28 13:00 1,086,058 -ra------ C:\WINDOWS\SET42.tmp
2008-06-05 15:15 . 2006-02-28 13:00 1,042,903 -ra------ C:\WINDOWS\SET3F.tmp
2008-06-05 15:15 . 2006-02-28 13:00 14,573 -ra------ C:\WINDOWS\SET8A.tmp
2008-06-05 15:15 . 2006-02-28 13:00 13,753 -ra------ C:\WINDOWS\SET4E.tmp
2008-06-05 14:58 . 2006-02-28 13:00 1,086,058 -ra------ C:\WINDOWS\SET41.tmp
2008-06-05 14:58 . 2006-02-28 13:00 1,042,903 -ra------ C:\WINDOWS\SET3E.tmp
2008-06-05 14:58 . 2006-02-28 13:00 14,573 -ra------ C:\WINDOWS\SET89.tmp
2008-06-05 14:58 . 2006-02-28 13:00 13,753 -ra------ C:\WINDOWS\SET4D.tmp
2008-06-05 14:43 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-06-05 14:39 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-06-05 14:36 . 2006-02-28 13:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-06-05 14:36 . 2006-02-28 13:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-06-05 14:36 . 2006-02-28 13:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-06-05 14:36 . 2006-02-28 13:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-06-05 14:34 . 2008-06-07 22:03 1,043,240 --a------ C:\WINDOWS\setupapi.log.0.old
2008-06-04 17:12 . 2008-06-04 17:12 880,560 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-04 17:12 . 2008-06-04 17:12 108,368 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-03 12:04 . 2008-06-03 12:04 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-02 17:39 . 1999-08-03 10:50 172,032 --a------ C:\WINDOWS\system32\binkw32.dll
2008-06-01 17:28 . 2008-06-02 17:41 <DIR> d-------- C:\Program Files\Core Design
2008-06-01 17:28 . 1997-08-14 16:17 117,248 --a------ C:\WINDOWS\system32\Edec.dll
2008-06-01 17:28 . 1997-08-14 16:31 98,816 --a------ C:\WINDOWS\system32\Dec130.dll
2008-06-01 17:28 . 1997-08-14 16:24 89,600 --a------ C:\WINDOWS\system32\Winsdec.dll
2008-06-01 17:28 . 1997-08-14 11:10 80,896 --a------ C:\WINDOWS\system32\Winstr.dll
2008-06-01 17:28 . 1997-08-14 16:06 60,416 --a------ C:\WINDOWS\system32\Winplay.dll
2008-06-01 17:02 . 2008-06-01 17:19 <DIR> d-------- C:\TOMBRAID
2008-06-01 08:36 . 2008-06-13 11:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-01 08:36 . 2008-06-01 08:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-29 16:52 . 2008-06-06 00:34 <DIR> d-------- C:\Program Files\PestPatrol
2008-05-28 18:46 . 2008-05-28 18:49 547 --a------ C:\WINDOWS\wininit.ini
2008-05-28 17:55 . 2008-06-06 00:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-28 17:55 . 2008-06-06 00:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-27 14:42 . 2008-06-06 14:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-05-26 00:02 . 2008-05-26 00:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sandlot Games
2008-05-25 12:24 . 2008-05-25 13:20 <DIR> d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\MysteryStudio
2008-05-23 18:52 . 2008-05-23 18:52 <DIR> d-------- C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\SultansLabyrinth
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-14 20:34 . 2008-05-14 20:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 15:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-06-13 15:48 --------- d-----w C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\Skype
2008-06-13 15:09 --------- d-----w C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\skypePM
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-12 20:58 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-12 20:58 281,950 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-08 20:30 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-07 23:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\RetroExp
2008-05-21 16:43 --------- d-----w C:\Program Files\Bonusprint PhotoBook Editor
2008-05-21 16:39 --------- d-----w C:\Program Files\Yahoo!
2008-04-30 22:50 --------- d-----w C:\Program Files\PopCap Games
2008-04-30 22:44 --------- d-----w C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Application Data\Yahoo!
2008-04-30 22:43 --------- d-----w C:\Program Files\Yahoo! Games
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-19 10:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 17:06 --------- d-----w C:\Program Files\Java
2008-03-05 16:51 0 ----a-w C:\Program Files\temp01
2007-11-21 12:07 32 ----a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2006-05-21 18:01 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-03-12 13:05 433,280 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-03-12 13:05 143,744 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-03-12 13:05 143,616 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
1999-06-25 09:55 149,504 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"BBC Alerts"="C:\Program Files\BBC Alerts\BBC_Alerts.exe" [2008-01-11 13:35 759728]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 00:26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG -on" []
"SiS KHooker"="C:\WINDOWS\system32\khooker.exe" [2003-04-09 08:44 286720]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25 177416]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-10-11 16:03 14088]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 13:42 230664]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-05-22 15:55 1193224]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-05-22 15:55 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-05-22 15:55 259336]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.exe" [2003-08-07 03:00 99840]
"RegistryMechanic"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 09:23 132624]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SoundMan"="SOUNDMAN.EXE" [2003-02-27 07:29 47104 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
EPSON SMART PANEL for Scanner.lnk - C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe [2004-12-13 18:42:25 180224]
Event Planner Reminders Tray Icon.lnk - C:\SIERRA\CardStudio\PLNRnote.exe [2008-06-12 19:43:14 167936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 17:51 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2005-11-09 16:19 634880 C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
--a------ 2005-09-21 16:40 18583552 C:\PROGRA~1\RETROS~1\RETROS~1.1\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\BBC Alerts\BBC_Alerts.exe"= C:\Program Files\BBC Alerts\BBC_Alerts.exe
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:46]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:28]
R1 SiSEsc;SISLIB_ESC;C:\WINDOWS\system32\sisesc.sys [2003-03-26 16:34]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:46]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 04:54]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-04 09:23]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 09:39]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-03-05 19:36]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-12 12:02]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]
S2 tcaicchg;tcaicchg;C:\WINDOWS\system32\tcaicchg.sys []
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-02 13:30:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-11 16:39:33 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Ian and Joelle at 17 39.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
"2008-06-13 10:10:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-12 16:41:42 C:\WINDOWS\Tasks\User_Feed_Synchronization-{7EEAB4C9-F007-42E5-81E9-E64DBFE80633}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 16:56:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-13 16:57:40
ComboFix-quarantined-files.txt 2008-06-13 15:57:34

Pre-Run: 30,026,829,824 bytes free
Post-Run: 30,184,546,304 bytes free

243 --- E O F --- 2008-06-08 08:29:37
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2008, 02:23 PM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
We'll not worry about the Panda scan at this time.

I should think the popups have stopped, and you should be able to access Windows Updates. Let me know, please.

It does not appear as though DSS was allowed to download and install HijackThis. To produce a HijackThis log for your next reply, please do this:

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2008, 04:17 PM   #6 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hello

We seem to be getting somewhere. The adverts seem to have stopped. I tried updating Windows and it seemed to update some things but gave a message that it hadn't updated "Windows Genuine Advantage Validation Tool (KB892130)".

The HiJackThis log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:54, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dl...grateVisitor=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/appl...orLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194202916155
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...2/axofupld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\Program Files\Retrospect\Retrospect Express HD 1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 12002 bytes
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-13-2008, 06:01 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Let's continue with the cleanup process, and then we'll see about that Windows Update.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 07:28 AM   #8 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Thanks again for the response.

A couple of things:

When I boot up and get the choice between a normal Windows start and running the Recovery Console, hitting enter doesn't do anything and neither can I move between the options with the arrow keys. The normal start is highlighted and I just have to wait until the timer counts down. Don't know whether this is relevant (unless I ever need the Recovery Console!)

I followed the instructions about downloding Java and deleting my existing versions, but then when I clicked the Java link I'd saved on the desktop, nothing happened. I checked it and it is jre-6u6-windows-i586-p.1.2D0D17.efw not .exe. I followed the instructions again and the same thing happened. I then went onto the Java site and have downloaded JRE 6 Update 6 a different way. I hope this doesn't matter.

Still no popups!

Ran Kaspersky and Hijackthis scans - logs below.


Regards

Ian

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 14, 2008 10:51:01
Records in database: 863350
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 79859
Threat name: 6
Infected objects: 5
Suspicious objects: 3
Duration of the scan: 01:11:05


File name / Threat name / Threats count
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\Identities\{B9065B40-DD68-41F9-9656-0C33A657BCCF}\Microsoft\Outlook Express\CA Anti-Spam.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\Identities\{B9065B40-DD68-41F9-9656-0C33A657BCCF}\Microsoft\Outlook Express\Ian.dbx Infected: Trojan-Spy.HTML.Bankfraud.fl 1
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\Identities\{B9065B40-DD68-41F9-9656-0C33A657BCCF}\Microsoft\Outlook Express\Inbox (1).dbx Infected: Trojan-Spy.HTML.Paylap.cf 1
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\Local Settings\Application Data\Identities\{B9065B40-DD68-41F9-9656-0C33A657BCCF}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\My Documents\Downloads\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g 1
C:\Program Files\Windows Live\Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1
C:\Program Files\Windows Live\Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:15:44, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dl...grateVisitor=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB001" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/appl...orLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194202916155
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downlo...2/axofupld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Dantz - C:\Program Files\Retrospect\Retrospect Express HD 1.1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Dantz - C:\PROGRA~1\RETROS~1\RETROS~1.1\retrorun.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 12373 bytes
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 08:36 AM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Actually, from looking at the ComboFix log, it seems as though Combofix did not install the recovery Console, and that it may have been already installed. When you attempted to run that part of the ComboFix process, did you receive notification that Recovery Console was already installed?

If you do nothing, Windows will load by default. That said, you should be able to use your down arrow to change the selection. Hopefully you'll never need the Recovery Console, but it's good to have it pre-installed.

I wonder, do you have a USB keyboard? Some USB keyboards do not function well at boottime, until Windows loads.

Looks like the Java you installed is correct. Not sure what happened with your initial download, as it works correctly for me.

=======================

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Ian and Joelle.IAN-7530FC48F2F\My Documents\Downloads\incredimail_install.exe"
"C:\Program Files\Windows Live\Messenger\msimg32.dll"
"C:\Program Files\Windows Live\Messenger\riched20.dll"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (

%systemdrive%\Deckard

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 06-14-2008 at 08:39 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 09:10 AM   #10 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hello

When I ran Comcofix it didn't say that Recovery Console was already installed. Until I ran Combofix, the option to start Recovery Console during boot was never offered.

Yes I do have a USB keyboard and I think you are probably right about this. If I ever need recovery console I'll get hold of a non-USB keyboard.

The Java download was a .exe file on the Java page but saved on my desktop as samename.efw (whatever that is).

Ran the fix.bat. Message was deleted successfully!! Press any key to continue.... This I did. A message flashed up to quickly to read, the window closed and fix.bat disappeared from the desktop.

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 09:29 AM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Hi Ian -

That's interesting...because the ComboFix log should have had another section amended to it indicating installation.

I'd like to take a quick look and see that all is in order with it and the boot.ini

Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

===========

Re: Fix.bat, that's just what we want.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 09:34 AM   #12 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hi

Result of Bootcheck.exe

Regards

Ian



CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 09:49 AM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
This is interesting.

ComboFix assigns a timeout of two seconds. I can see that your boot.ini shows a timeout of 30 seconds. It makes me think that the RC was already installed, but ComboFix always detects that and aborts...so perhaps it was only partially installed. Not sure. I've never encountered this in the thousands of times I've applied this tool.

It's important to know that nothing bad has happened.

We can change that timeout if you like. It will require manual editing of the boot.ini file

First, navigate to C:\boot.ini

Right click, select properties.

Uncheck Read Only. Click OK.

Double click on boot.ini to open it. It will appear as a text file

Alter this line ONLY!

timeout=30

Make it

timeout=2

Close boot.ini and save the changes.

Right click, select Properties, and re-apply Read Only attribute. Click OK.

Now your bootup will only delay by two seconds instead of 30

Let me know how that goes.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 06-14-2008 at 09:51 AM.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 10:27 AM   #14 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hi

Don't quite know how to say this - I can't find the boot.ini file. I've looked in the c:\directory and its not there. I've used the search facility, including searching for hidden files, and can't find it. It does find a file "boot.ini.backup" in C:\windows\pss. This file is below:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

I've not changed it.

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 11:11 AM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Hidden and system files should already be visible...but in case they are not..

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 11:37 AM   #16 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hi

It was the "Hide protected operating system files (recommended)" which was checked - the others were OK.

I've modified the boot.ini file to 2 seconds. This has worked when I rebooted.

Where to now?

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 11:40 AM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
Great!

We should be done here....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 06-14-2008 at 11:42 AM. Reason: removed AntiVirus and Firewall protection info, you're already protected!
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 01:07 PM   #18 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hi

Thanks for that. I still have the problem of not being able to download Windows updates though. I've just tried again and still have the problem. It fails with the message "Windows Genuine Advantage Validation Tool (KB892130)" hadn't updated. This seems to be stopping any other updates. What can we do about this because, as you say, Microsoft don't issue updates for no reason.

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 01:28 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,444
OS: 2000 Pro; XP Pro; XP Home


Re: Popunders and can't update Windows XP
KB892130 has to do with MS WGA (Windows Genuine Advantage)

http://support.microsoft.com/kb/892130

You may need to try a different method of verifying an authentic MS OS

Try visiting this page, and click on Validate Windows button on the right side

http://www.microsoft.com/genuine/downloads/FAQ.aspx

Failing that, you may need to Contact MS.

Further assistance for this issue might be better addressed in the Windows XP section of the forum if still required. This forum is for malware removal.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-14-2008, 02:57 PM   #20 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 36
OS: xp


Re: Popunders and can't update Windows XP
Hi

I'll give that a try. If they are as helpful at the XP section of the forum as you have been, I'm sure we can sort it out.

Superb support - Thank you very much.

Regards

Ian
ianjones2003 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:08 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85