|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-28-2009, 11:54 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
 |
Fake Microsoft Warning of Virus...
... asking to be allowed to download and install some protection scam of some sort.
This is a pop-up that appears in FireFox about two minutes into any search. It claims to be published by Microsoft, but the file name it wants to download clearly is not a Microsoft file. Never downloaded it (as far as I know), but the pop-up is very annoying. I need help removing whatever might be causing it. Thank you so much. I attach a zip file attach.zip which I may or may not have compiled correctly. I did my best, but sometimes that isn't good enough. Sorry if I did that part wrong. -Karen DDS (Ver_09-06-26.01) - NTFSx86 Run by TOSHIBA USER at 20:00:24.31 on Mon 07/27/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.264 [GMT -7:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AOL 9.1\waol.exe svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\AOL 9.1\shellmon.exe C:\Program Files\Common Files\AOL\1116134552\EE\aolsoftware.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\TOSHIBA USER\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://au.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://au.search.yahoo.com uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html mDefault_Search_URL = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com mSearch Page = hxxp://au.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://au.search.yahoo.com uInternet Settings,ProxyOverride = local. uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b mRun: [00THotkey] c:\windows\system32\00THotkey.exe mRun: [000StTHK] 000StTHK.exe mRun: [\\P4-dvd\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p39 "\\p4-dvd\EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe" IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist! DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: symsupportutil - hxxps://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.99/cab/aolpPlugins.10.6.0.6.cab DPF: {427489F8-A781-42F6-941C-BE458C17CC48} - hxxp://www.mypicturetown.com/P2PwebCmdController/x/Upld_40.CAB DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193626066661 DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193626049437 DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://65.110.158.145:9010/activex/AMC.cab DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://cid-6843a08e3f4433e2.spaces.live.com/PhotoUpload/MsnPUpld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37932.2835763889 DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - hxxp://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.843138477472372&file=stamps.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.dll DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://148.61.63.218/activex/AMC.cab DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab TCP: {E6E71473-7BFF-4A7D-8973-3F49384A0FF5} = 85.255.112.134,85.255.112.10 Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll Notify: PCANotify - PCANotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\toshib~1\applic~1\mozilla\firefox\profiles\ipoynud5.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}(2) FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); ============= SERVICES / DRIVERS =============== R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2002-2-7 5802] R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392] R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2002-2-5 967040] S3 PortRST;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [2002-11-28 12721] S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [2004-10-6 11721] S3 toslane;Toshiba BT-LANE;c:\windows\system32\drivers\tosrflan.sys [2002-2-7 25420] S3 USBFMC;SvcDesc=USB Flash Memory Controller Service;c:\windows\system32\drivers\fnd6007.sys [2002-11-28 34520] S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2007-6-10 40788] S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984] S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496] S4 SpywareCleanerService;SpywareCleanerService; [x] S4 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2002-2-7 73728] S4 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2002-2-7 118784] =============== Created Last 30 ================ 2009-07-22 12:33 102,006 a------- c:\windows\hpoins04.dat 2009-07-22 12:33 17,218 -------- c:\windows\hpomdl04.dat 2009-07-22 12:32 <DIR> --d----- c:\temp\HP_WebRelease 2009-07-07 08:35 <DIR> --d----- c:\windows\system32\scripting 2009-07-07 08:35 <DIR> --d----- c:\windows\l2schemas 2009-07-07 08:35 <DIR> --d----- c:\windows\system32\en 2009-07-05 13:01 276,992 -------- c:\windows\system32\wmphoto.dll 2009-07-05 13:01 69,120 -------- c:\windows\system32\wlanapi.dll 2009-07-05 13:01 712,704 -------- c:\windows\system32\windowscodecs.dll 2009-07-05 13:01 346,112 -------- c:\windows\system32\windowscodecsext.dll 2009-07-05 13:01 53,248 -------- c:\windows\system32\tsgqec.dll 2009-07-05 13:01 50,688 -------- c:\windows\system32\tspkg.dll 2009-07-05 12:59 61,440 -------- c:\windows\system32\kmsvc.dll 2009-07-05 12:58 136,192 -------- c:\windows\system32\aaclient.dll 2009-07-04 23:20 81,920 a------- c:\windows\system32\ieencode.dll 2009-06-30 13:19 <DIR> --d----- c:\program files\common files\xing shared 2009-06-28 15:51 <DIR> --d----- c:\docume~1\toshib~1\applic~1\AVS4YOU 2009-06-28 15:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU 2009-06-28 15:48 <DIR> --d----- c:\program files\common files\AVSMedia ==================== Find3M ==================== 2009-06-16 19:20 262,144 a------- C:\ntuser.dat 2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll 2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll 2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll 2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll 2004-04-18 01:04 560 ac------ c:\documents and settings\toshiba user\PCDOC.BAT 2000-01-06 04:50 811 ac------ c:\program files\INSTALL.LOG 1998-12-08 19:53 186,368 a------- c:\program files\common files\IRAREG.DLL 1998-12-08 19:53 99,840 a------- c:\program files\common files\IRAABOUT.DLL 1998-12-08 19:53 70,144 a------- c:\program files\common files\IRAMDMTR.DLL 1998-12-08 19:53 48,640 a------- c:\program files\common files\IRALPTTR.DLL 1998-12-08 19:53 31,744 a------- c:\program files\common files\IRAWEBTR.DLL 1998-12-08 19:53 17,920 a------- c:\program files\common files\IRASRIAL.DLL 2005-05-15 03:21 10,646 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 20:01:19.45 =============== Last edited by amateur; 07-28-2009 at 01:04 PM. Reason: DDS.txt pasted in |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
07-30-2009, 02:08 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Hello and welcome to TSF.
Unfortunately you have a rootkit (backdoor) related infection. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
----- If you wish to continue with the disinfection process, please follow the steps below. Otherwise, please let me know. Download and Run ComboFix Note to readers of this post other than the starter of this thread: ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert. Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Please refer to this page for full instructions on how to run ComboFix.
ComboFix will restart your computer if malware is found; allow it to do so. Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall. ~Extremeboy |
|
|
|
|
07-30-2009, 08:22 PM
|
#3 (permalink) | |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Quote:
================= ComboFix 09-07-29.04 - TOSHIBA USER 07/30/2009 18:20.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.327 [GMT -7:00] Running from: c:\documents and settings\TOSHIBA USER\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\INSTALL.LOG c:\windows\Installer\1f6d356.msp c:\windows\Installer\20987f.msp c:\windows\Installer\209882.msp c:\windows\Installer\209909.msp c:\windows\Installer\249782f.msi c:\windows\Installer\4c03df1.msp c:\windows\Installer\66b88.msp c:\windows\Installer\66c6c.msp c:\windows\Installer\66c8d.msp c:\windows\Installer\66d21.msp c:\windows\Installer\66d36.msp c:\windows\Installer\66d49.msp c:\windows\Installer\66d5e.msp c:\windows\Installer\66d72.msp c:\windows\Installer\66d85.msp c:\windows\Installer\66d95.msp c:\windows\Installer\6e643d9.msp c:\windows\Installer\7568606.msi c:\windows\Installer\756860c.msi c:\windows\Installer\7568612.msi c:\windows\patch.exe c:\windows\system32\drivers\MSIVXowfvpibgiuxudririqplrmpjdiorxkvp.sys c:\windows\system32\FM20(2).DLL c:\windows\system32\lo2.txtt c:\windows\system32\MSIVXcount c:\windows\system32\MSIVXoympubtagswsylnsciyxhmerqhdjoewr.dll c:\windows\system32\MSIVXygwutewvhfmkfqhtkkdquoqbiqxoyeyn.dll c:\windows\system32\tmp.reg c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_MSIVXserv.sys ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 ))))))))))))))))))))))))))))))) . 2009-07-22 19:33 . 2009-07-22 19:35 102006 ----a-w- c:\windows\hpoins04.dat 2009-07-22 19:33 . 2004-06-22 11:20 17218 ------w- c:\windows\hpomdl04.dat 2009-07-22 19:32 . 2009-07-22 19:33 -------- d-----w- c:\temp\HP_WebRelease 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\system32\scripting 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\l2schemas 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\system32\en 2009-07-06 16:54 . 2009-07-06 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-07-06 16:53 . 2009-05-27 04:19 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe 2009-07-05 20:01 . 2008-04-14 00:12 276992 ------w- c:\windows\system32\wmphoto.dll 2009-07-05 20:01 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll 2009-07-05 20:01 . 2008-04-14 00:12 712704 ------w- c:\windows\system32\windowscodecs.dll 2009-07-05 20:01 . 2008-04-14 00:12 346112 ------w- c:\windows\system32\windowscodecsext.dll 2009-07-05 20:01 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll 2009-07-05 20:01 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll 2009-07-05 19:59 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll 2009-07-05 19:58 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll 2009-07-05 07:33 . 2009-07-05 07:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-07-05 06:20 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-07-04 21:44 . 2009-07-04 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-07-04 21:44 . 2009-07-04 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-06 16:55 . 2007-03-26 03:01 -------- d--h--r- c:\documents and settings\TOSHIBA USER\Application Data\yahoo! 2009-07-06 16:54 . 2006-07-21 08:14 -------- d-----w- c:\program files\Yahoo! 2009-07-06 16:54 . 2007-03-24 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2009-07-05 07:43 . 2003-11-03 21:14 -------- d-----w- c:\program files\Google 2009-06-30 20:19 . 2002-02-11 17:53 -------- d-----w- c:\program files\Common Files\Real 2009-06-30 20:19 . 2009-06-30 20:19 -------- d-----w- c:\program files\Common Files\xing shared 2009-06-28 22:51 . 2009-06-28 22:51 -------- d-----w- c:\documents and settings\TOSHIBA USER\Application Data\AVS4YOU 2009-06-28 22:51 . 2009-06-28 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2009-06-28 22:50 . 2008-08-17 23:54 -------- d-----w- c:\program files\AVS4YOU 2009-06-28 22:50 . 2009-06-28 22:48 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-06-17 02:20 . 2009-06-17 02:20 262144 ----a-w- C:\ntuser.dat 2009-06-17 01:29 . 2004-08-03 15:31 -------- d-----w- c:\program files\DivX 2009-06-17 01:28 . 2005-08-29 01:32 -------- d-----w- c:\program files\Ahead 2009-06-17 01:25 . 2008-02-17 21:48 -------- d-----w- c:\program files\MySpace 2009-06-11 11:16 . 2008-08-23 14:37 -------- d-----w- c:\program files\Windows Desktop Search 2009-06-09 22:25 . 2004-11-24 21:10 -------- d-----w- c:\program files\Java 2009-06-09 22:24 . 2009-06-09 22:24 152576 ----a-w- c:\documents and settings\TOSHIBA USER\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-06 05:58 . 2005-09-18 21:27 -------- d-----w- c:\documents and settings\TOSHIBA USER\Application Data\Image Zone Express 2009-05-25 07:24 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll 2009-05-21 18:33 . 2008-12-07 15:42 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-07 15:32 . 2000-01-29 17:36 345600 ----a-w- c:\windows\system32\localspl.dll 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL 2008-10-31 20:56 . 2008-09-30 22:34 134656 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll 2007-08-13 22:42 . 2007-08-13 22:36 24 -csh--w- c:\windows\S4ED52398.tmp 2005-05-15 10:21 . 2004-08-13 06:55 10646 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "00THotkey"="c:\windows\System32\00THotkey.exe" [2002-01-30 249856] "\\P4-dvd\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-01-09 19:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 19:01 8704 ----a-w- c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk backup=c:\windows\pss\America Online Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk backup=c:\windows\pss\Date Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk backup=c:\windows\pss\Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=c:\windows\pss\officejet 6100.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Health.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Health.lnk backup=c:\windows\pss\PC Health.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk backup=c:\windows\pss\PrecisionTime.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Search.vbs backup=c:\windows\pss\Search.vbsCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk backup=c:\windows\pss\Venturi 2.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^winlogin.exe] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\winlogin.exe backup=c:\windows\pss\winlogin.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^AOL Desktop.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\AOL Desktop.lnk backup=c:\windows\pss\AOL Desktop.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Tmesrv"=2 (0x2) "Tmesbs"=2 (0x2) "Bonjour Service"=2 (0x2) "SpywareCleanerService"=2 (0x2) "IDriverT"=3 (0x3) "awhost32"=3 (0x3) "AOL ACS"=2 (0x2) "NVSvc"=2 (0x2) "iPodService"=3 (0x3) "AVGEMS"=2 (0x2) "Avg7Alrt"=2 (0x2) "AOL TopSpeedMonitor"=2 (0x2) "Adobe LM Service"=3 (0x3) "Venturi2"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "AcrSch2Svc"=2 (0x2) "Spooler"=2 (0x2) "usnjsvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "LBTServ"=3 (0x3) "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "Apple Mobile Device"=2 (0x2) "PSEXESVC"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AboutTime\\AboutTime.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\QuickLink Mobile\\QuickLink Mobile.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\America Online 9.0a\\waol.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\America Online 9.0b\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\FileZilla\\FileZilla.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AOL 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Animated GIF producer 4.0\\PRODUCER.EXE"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AOL 9.0a\\waol.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2/7/2002 2:46 PM 5802] R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2/5/2002 12:17 PM 967040] S3 PortRST;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [11/28/2002 11:05 AM 12721] S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [10/6/2004 2:17 PM 11721] S3 toslane;Toshiba BT-LANE;c:\windows\system32\drivers\tosrflan.sys [2/7/2002 5:24 PM 25420] S3 USBFMC;SvcDesc=USB Flash Memory Controller Service;c:\windows\system32\drivers\fnd6007.sys [11/28/2002 11:05 AM 34520] S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [6/10/2007 10:41 AM 40788] S4 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE --> c:\windows\PSEXESVC.EXE [?] S4 SpywareCleanerService;SpywareCleanerService; [x] S4 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [2/7/2002 2:46 PM 73728] S4 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2/7/2002 2:46 PM 118784] . Contents of the 'Scheduled Tasks' folder 2009-07-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-28 01:39] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyOverride = local. uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {427489F8-A781-42F6-941C-BE458C17CC48} - hxxp://www.mypicturetown.com/P2PwebCmdController/x/Upld_40.CAB DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://148.61.63.218/activex/AMC.cab FF - ProfilePath - c:\documents and settings\TOSHIBA USER\Application Data\Mozilla\Firefox\Profiles\ipoynud5.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-30 18:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,4a,05,e8,98,d4,97,43,91,ec,83,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,4a,05,e8,98,d4,97,43,91,ec,83,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(548) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . Completion time: 2009-07-31 18:38 ComboFix-quarantined-files.txt 2009-07-31 01:38 ComboFix2.txt 2008-08-23 13:58 Pre-Run: 40,379,359,232 bytes free Post-Run: 40,986,247,168 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn Current=1 Default=1 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5 348 --- E O F --- 2009-07-07 18:23 ================= |
|
|
|
|
|
07-31-2009, 10:24 AM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Hello.
Let's continue here. A few programs you need to be warned about here. Peer-to-Peer Programs Warning Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent, BitTorrent and DNA). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology. It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves. Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office." It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean. View Point Programs Warning Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player. Additional instructions on removing program can be found here. ---- Run ComboFix with CFScript We will run ComboFix again. This time, the instructions are slightly different.
Do not mouseclick ComboFix's window while it's running. That may cause it to stall --- Install Antivirus An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below: Update It after the installation is complete please. --- Download and run MalwareBytes Anti-Malware Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1
For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link Post back with the: -Combofix log -Malwarebytes Anti-Malware log -New set of DDS logs --Attach and DDS.txt Thanks. With Regards, Extremeboy |
|
|
|
|
07-31-2009, 03:38 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
ComboFix 09-07-29.04 - TOSHIBA USER 07/31/2009 12:34.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.257 [GMT -7:00] Running from: c:\documents and settings\TOSHIBA USER\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\TOSHIBA USER\Desktop\CFScript.txt * Created a new restore point FILE :: "c:\documents and settings\All Users\Start Menu\Programs\Startup\winlogin.exe" "c:\windows\S4ED52398.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\S4ED52398.tmp . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SPYWARECLEANERSERVICE -------\Service_SpywareCleanerService ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 ))))))))))))))))))))))))))))))) . 2009-07-22 19:33 . 2009-07-22 19:35 102006 ----a-w- c:\windows\hpoins04.dat 2009-07-22 19:33 . 2004-06-22 11:20 17218 ------w- c:\windows\hpomdl04.dat 2009-07-22 19:32 . 2009-07-22 19:33 -------- d-----w- c:\temp\HP_WebRelease 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\system32\scripting 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\l2schemas 2009-07-07 15:35 . 2009-07-07 15:35 -------- d-----w- c:\windows\system32\en 2009-07-06 16:54 . 2009-07-06 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-07-06 16:53 . 2009-05-27 04:19 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe 2009-07-05 20:01 . 2008-04-14 00:12 276992 ------w- c:\windows\system32\wmphoto.dll 2009-07-05 20:01 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll 2009-07-05 20:01 . 2008-04-14 00:12 712704 ------w- c:\windows\system32\windowscodecs.dll 2009-07-05 20:01 . 2008-04-14 00:12 346112 ------w- c:\windows\system32\windowscodecsext.dll 2009-07-05 20:01 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll 2009-07-05 20:01 . 2008-04-14 00:12 50688 ------w- c:\windows\system32\tspkg.dll 2009-07-05 19:59 . 2008-04-14 00:11 61440 ------w- c:\windows\system32\kmsvc.dll 2009-07-05 19:58 . 2008-04-14 00:11 136192 ------w- c:\windows\system32\aaclient.dll 2009-07-05 07:33 . 2009-07-05 07:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-07-05 06:20 . 2009-04-29 04:46 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-07-04 21:44 . 2009-07-04 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-07-04 21:44 . 2009-07-04 21:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-06 16:55 . 2007-03-26 03:01 -------- d--h--r- c:\documents and settings\TOSHIBA USER\Application Data\yahoo! 2009-07-06 16:54 . 2006-07-21 08:14 -------- d-----w- c:\program files\Yahoo! 2009-07-06 16:54 . 2007-03-24 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2009-07-05 07:43 . 2003-11-03 21:14 -------- d-----w- c:\program files\Google 2009-06-30 20:19 . 2002-02-11 17:53 -------- d-----w- c:\program files\Common Files\Real 2009-06-30 20:19 . 2009-06-30 20:19 -------- d-----w- c:\program files\Common Files\xing shared 2009-06-28 22:51 . 2009-06-28 22:51 -------- d-----w- c:\documents and settings\TOSHIBA USER\Application Data\AVS4YOU 2009-06-28 22:51 . 2009-06-28 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2009-06-28 22:50 . 2008-08-17 23:54 -------- d-----w- c:\program files\AVS4YOU 2009-06-28 22:50 . 2009-06-28 22:48 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-06-17 02:20 . 2009-06-17 02:20 262144 ----a-w- C:\ntuser.dat 2009-06-17 01:29 . 2004-08-03 15:31 -------- d-----w- c:\program files\DivX 2009-06-17 01:28 . 2005-08-29 01:32 -------- d-----w- c:\program files\Ahead 2009-06-17 01:25 . 2008-02-17 21:48 -------- d-----w- c:\program files\MySpace 2009-06-11 11:16 . 2008-08-23 14:37 -------- d-----w- c:\program files\Windows Desktop Search 2009-06-09 22:25 . 2004-11-24 21:10 -------- d-----w- c:\program files\Java 2009-06-09 22:24 . 2009-06-09 22:24 152576 ----a-w- c:\documents and settings\TOSHIBA USER\Application Data\Sun\Java\jre1.6.0_14\lzma.dll 2009-06-06 05:58 . 2005-09-18 21:27 -------- d-----w- c:\documents and settings\TOSHIBA USER\Application Data\Image Zone Express 2009-05-25 07:24 . 2008-05-27 05:18 350208 ----a-w- c:\windows\system32\mssph.dll 2009-05-21 18:33 . 2008-12-07 15:42 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-07 15:32 . 2000-01-29 17:36 345600 ----a-w- c:\windows\system32\localspl.dll 1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL 1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL 2008-10-31 20:56 . 2008-09-30 22:34 134656 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll 2005-05-15 10:21 . 2004-08-13 06:55 10646 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-07-31_01.33.43 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-31 19:48 . 2009-07-31 19:48 16384 c:\windows\temp\Perflib_Perfdata_144.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "00THotkey"="c:\windows\System32\00THotkey.exe" [2002-01-30 249856] "\\P4-dvd\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-30 198160] "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856] "000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-24 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-01-09 19:30 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 19:01 8704 ----a-w- c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online Tray Icon.lnk backup=c:\windows\pss\America Online Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk backup=c:\windows\pss\Date Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk backup=c:\windows\pss\Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=c:\windows\pss\officejet 6100.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Health.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PC Health.lnk backup=c:\windows\pss\PC Health.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk backup=c:\windows\pss\PrecisionTime.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Search.vbs backup=c:\windows\pss\Search.vbsCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Venturi 2.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Venturi 2.lnk backup=c:\windows\pss\Venturi 2.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^AOL Desktop.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\AOL Desktop.lnk backup=c:\windows\pss\AOL Desktop.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TOSHIBA USER^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\TOSHIBA USER\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Tmesrv"=2 (0x2) "Tmesbs"=2 (0x2) "Bonjour Service"=2 (0x2) "IDriverT"=3 (0x3) "awhost32"=3 (0x3) "AOL ACS"=2 (0x2) "NVSvc"=2 (0x2) "iPodService"=3 (0x3) "AVGEMS"=2 (0x2) "Avg7Alrt"=2 (0x2) "AOL TopSpeedMonitor"=2 (0x2) "Adobe LM Service"=3 (0x3) "Venturi2"=2 (0x2) "Pml Driver HPZ12"=2 (0x2) "AcrSch2Svc"=2 (0x2) "Spooler"=2 (0x2) "usnjsvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "LBTServ"=3 (0x3) "iPod Service"=3 (0x3) "gusvc"=3 (0x3) "Apple Mobile Device"=2 (0x2) "PSEXESVC"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AboutTime\\AboutTime.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\QuickLink Mobile\\QuickLink Mobile.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\America Online 9.0a\\waol.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\America Online 9.0b\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\AOLServiceHost.exe"= "c:\\Program Files\\FileZilla\\FileZilla.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1116134552\\EE\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AOL 9.0\\waol.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\AOL 9.1\\waol.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Animated GIF producer 4.0\\PRODUCER.EXE"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AOL 9.0a\\waol.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2/7/2002 2:46 PM 5802] R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2/5/2002 12:17 PM 967040] S3 PortRST;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [11/28/2002 11:05 AM 12721] S3 SMALUSB;Digital Camera Driver;c:\windows\system32\drivers\smallogi.sys [10/6/2004 2:17 PM 11721] S3 toslane;Toshiba BT-LANE;c:\windows\system32\drivers\tosrflan.sys [2/7/2002 5:24 PM 25420] S3 USBFMC;SvcDesc=USB Flash Memory Controller Service;c:\windows\system32\drivers\fnd6007.sys [11/28/2002 11:05 AM 34520] S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [6/10/2007 10:41 AM 40788] S4 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE --> c:\windows\PSEXESVC.EXE [?] S4 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [2/7/2002 2:46 PM 73728] S4 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [2/7/2002 2:46 PM 118784] . Contents of the 'Scheduled Tasks' folder 2009-07-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-28 01:39] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Settings,ProxyOverride = local. uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {427489F8-A781-42F6-941C-BE458C17CC48} - hxxp://www.mypicturetown.com/P2PwebCmdController/x/Upld_40.CAB DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://148.61.63.218/activex/AMC.cab FF - ProfilePath - c:\documents and settings\TOSHIBA USER\Application Data\Mozilla\Firefox\Profiles\ipoynud5.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yahoo FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-31 12:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(540) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(3500) c:\windows\system32\WPDShServiceObj.dll c:\program files\Common Files\aolshare\aolshcpy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\AOL\ACS\AOLacsd.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\searchindexer.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files\AOL 9.1\waol.exe c:\windows\system32\wscntfy.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\program files\AOL 9.1\shellmon.exe c:\windows\system32\searchprotocolhost.exe c:\windows\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2009-07-31 12:58 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-31 19:58 ComboFix2.txt 2009-07-31 01:38 ComboFix3.txt 2008-08-23 13:58 Pre-Run: 40,966,496,256 bytes free Post-Run: 40,853,336,064 bytes free Current=1 Default=1 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5 327 --- E O F --- 2009-07-07 18:23 |
|
|
|
|
08-01-2009, 08:28 AM
|
#6 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Thanks again.
Here is the Malwarebytes log, as requested. I deleted the torrent programs, by the way. -Karen ======================== Malwarebytes' Anti-Malware 1.39 Database version: 2540 Windows 5.1.2600 Service Pack 3 8/1/2009 7:24:17 AM mbam-log-2009-08-01 (07-24-04).txt Scan type: Full Scan (C:\|) Objects scanned: 244324 Time elapsed: 1 hour(s), 10 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 3 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken. Registry Values Infected: HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e6e71473-7bff-4a7d-8973-3f49384a0ff5}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.134,85.255.112.10 -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e6e71473-7bff-4a7d-8973-3f49384a0ff5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.134,85.255.112.10 -> No action taken. Folders Infected: C:\Documents and Settings\TOSHIBA USER\Application Data\RegistrySmart (Rogue.RegistrySmart) -> No action taken. c:\documents and settings\toshiba user\application data\registrysmart\Log (Rogue.RegistrySmart) -> No action taken. c:\documents and settings\toshiba user\application data\registrysmart\Registry Backups (Rogue.RegistrySmart) -> No action taken. Files Infected: c:\QooBox\quarantine\C\WINDOWS\system32\dcads-remove.exe.vir (Adware.DCads) -> No action taken. c:\QooBox\quarantine\C\WINDOWS\system32\superiorads-uninst.exe.vir (Adware.AdRotator) -> No action taken. c:\QooBox\quarantine\C\WINDOWS\system32\drivers\MSIVXowfvpibgiuxudririqplrmpjdiorxkvp.sys.vir (Rootkit.Agent) -> No action taken. c:\system volume information\_restore{4fd4413d-6a99-428e-bc13-79cc5d0909cb}\RP4\A0000002.sys (Rootkit.Agent) -> No action taken. c:\documents and settings\toshiba user\application data\registrysmart\Log\2008 May 03 - 06_02_08 PM_777.log (Rogue.RegistrySmart) -> No action taken. c:\documents and settings\toshiba user\application data\registrysmart\registry backups\2008-05-03_18-34-26.reg (Rogue.RegistrySmart) -> No action taken. ======================== |
|
|
|
|
08-01-2009, 12:35 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Thank you so much.
I didn't hear back from you, and I had to finish some thing for work, so I took a chance and moved on without you. It seems to have worked out okay. Again, thanks. -- Karen Kraft ============================== Malwarebytes' Anti-Malware 1.39 Database version: 2540 Windows 5.1.2600 Service Pack 3 8/1/2009 11:32:10 AM mbam-log-2009-08-01 (11-32-10).txt Scan type: Quick Scan Objects scanned: 100804 Time elapsed: 10 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ============================== |
|
|
|
|
08-02-2009, 09:07 AM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
No problem.
Thanks for letting me know. The MBAM log looks clean now, that's good. We need to run an online scan now. Run Scan with Kaspersky Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.) If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
With Regards, Extremeboy |
|
|
|
|
08-04-2009, 01:11 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Thanks again.
Here's the log: ============================== -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Tuesday, August 4, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, August 04, 2009 10:18:10 Records in database: 2579300 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 140198 Threat name: 3 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 06:51:45 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpkw_setupSTUS\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1 C:\Program Files\SlySoft\AnyDVD\RgDrvls.exe Infected: Backdoor.Win32.Agent.ahyk 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IS4ED51M\574[1].pdf Infected: Exploit.JS.Pdfka.mq 1 The selected area was scanned. ============================== |
|
|
|
|
08-05-2009, 10:08 AM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Hello.
Those look fine. Let's run ATFCleaner to remove those temporary internet files. The others are compnents that are part of another software. Download and Run ATFCleaner Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
Please take a new DDS run and post back with both the DDS and Attach logs and see if there's anything left we can take care of. ~Extremeboy |
|
|
|
|
08-06-2009, 12:15 PM
|
#11 (permalink) |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Thank you.
It seems okay now. I appreciate your help. I would send you something on PayPal but I'm broke presently. I will try to send you something when I have something to send. Thanks again. -Karen ========================= -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Thursday, August 6, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Thursday, August 06, 2009 08:09:53 Records in database: 2585984 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - Critical Areas: C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\TOSHIBA USER\Start Menu\Programs\Startup C:\Program Files C:\WINDOWS Scan statistics: Files scanned: 74333 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 03:04:15 No malware has been detected. The scan area is clean. The selected area was scanned. ========================= |
|
|
|
|
08-06-2009, 02:47 PM
|
#12 (permalink) | ||
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Hello.
Quote:
Quote:
With Regards, Extremeboy |
||
|
|
|
|
08-06-2009, 04:20 PM
|
#13 (permalink) | |
|
Registered User
Join Date: Jul 2009
Posts: 8
OS: XP Pro
|
Re: Fake Microsoft Warning of Virus...
Quote:
--Karen |
|
|
|
|
|
08-06-2009, 07:39 PM
|
#14 (permalink) | |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Do you still got the DDS logs for me?
Quote:
~Extremeboy |
|
|
|
|
|
08-13-2009, 08:10 PM
|
#15 (permalink) |
|
Analyst, Security Team
Join Date: Jan 2009
Posts: 553
OS: N/A
|
Re: Fake Microsoft Warning of Virus...
Hello.
Due to lack of feedback, this topic will now be archived. If you need continued support, please begin a new thread. This applies only to the original topic starter. Everyone else please begin a New Topic by following the steps outlined here: http://www.techsupportforum.com/secu...oval-help.html Thanks. With Regards, Extremeboy |
|
|
|
| Thread Tools | |
|
|
button on the main page.
button.
...button.
button, if you made any changes.
