Avast WEBforum

Other => General Topics => Topic started by: rtate69 on November 23, 2007, 04:43:30 PM

Title: fake windows security alert....control panel is gone
Post by: rtate69 on November 23, 2007, 04:43:30 PM

Hello, i am getting a fake windows security alert.What ever this is disabled control panel and avast is no longer running in task bar.Anyone have any ideas how to get rid of this?I used combo fix and now have control panel back.I have scanned with super anti spyware.Any ideas?

Title: Re: fake windows security alert....control panel is gone
Post by: DavidR on November 23, 2007, 05:43:06 PM

For the fake security alert, try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php).

What did SAS find ?

What avast processes are running in Task Manager, they begin with ash or asw, see image ?

(http://img.photobucket.com/albums/v325/for-dwr/ashresources.gif)

The control panel is a strange one but probably being blocked and possibly also blocked might be task manager, regedit and msconfig. What is it you are trying to access in the control panel ?

Title: Re: fake windows security alert....control panel is gone
Post by: Lisandro on November 23, 2007, 06:08:47 PM

I suggest you test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp) too.

Title: Re: fake windows security alert....control panel is gone
Post by: rtate69 on November 23, 2007, 08:56:14 PM

Thanks i will try rogue remover.I ran combo fix so i do have control panel back but avast was taken out of my start up.

Title: Re: fake windows security alert....control panel is gone
Post by: Lisandro on November 23, 2007, 08:57:19 PM

Quote from: rtate69 on November 23, 2007, 08:56:14 PM

but avast was taken out of my start up.

1. Check the option in the Appearance tab of settings.
or
2. Repair your avast installation through Control Panel.
or
3. Make a link to ashdisp.exe in your startup folder
or
4. Add the path to ashDisp.exe into a value named avast! in the Windows Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
See picture here: http://forum.avast.com/index.php?topic=26155.msg213891#msg213891

If that does not help, please, uninstall, boot, install again, boot.

Title: Re: fake windows security alert....control panel is gone
Post by: DavidR on November 23, 2007, 10:00:14 PM

Quote from: rtate69 on November 23, 2007, 08:56:14 PM

Thanks i will try rogue remover.I ran combo fix so i do have control panel back but avast was taken out of my start up.

The most usual suspects for taking out the ashDisp.exe (avast icon and interface to settings, etc.).

What other security based software do you have that might block new startup entries, e.g. Spybot S&D (TeaTimer), AdAware (AdWatch), SpySweeper, Spyware Doctor (StartUpGuard or OnGuard), PrevX, WinPatrol, ProcessGuard, etc. ?

Title: Re: fake windows security alert....control panel is gone
Post by: rtate69 on November 24, 2007, 04:52:40 AM

i think i have found out what i have.One of the start up items i have is called timoty.exe(vundo?).
i tried the two things you guys suggested but to no avail.i am unable to access add/remove programs to reinstall avast.any suggestions?

Title: Re: fake windows security alert....control panel is gone
Post by: rtate69 on November 24, 2007, 05:49:25 AM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:43, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bobby\Desktop\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Magnify] Magnify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Magnify] Magnify.exe (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4B53E5F-4363-4266-9F43-50BE9AFA2EBB}: NameServer = 85.255.115.75,85.255.112.139
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Bobby/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6323 bytes

Title: Re: fake windows security alert....control panel is gone
Post by: Lisandro on November 24, 2007, 12:39:44 PM

Can you post this Registry key contents?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\don't load

If all entries are listed there, your Control Panel will be empty... (don't load)

Title: Re: fake windows security alert....control panel is gone
Post by: DavidR on November 24, 2007, 03:27:19 PM

If it looks like Vundo, SAS is usually quite good on Vundo detections, but there is also, the Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.

Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html (http://www.bleepingcomputer.com/forums/topic18610.html)

Your version of JAVA is very old, which doesn't help in securing your system. Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://www.java.com/en/download/index.jsp (http://www.java.com/en/download/index.jsp)

Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html)

Your copy of HJT is also old, FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/).

It is probably best not to have HJT on your desktop but in a folder of its own, download the latest version and disconnect from the internet, uninstall/remove your existing HJT and install the latest version, it should create its own folder.

You don't appear to have an active firewall, your system is an open door.

Fix:
C:\WINDOWS\system32\timoty.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKUS\S-1-5-18\..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [froody] C:\WINDOWS\system32\timoty.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

That is a start.

These two I'm not sure about but I'm suspicious
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe

Title: Re: fake windows security alert....control panel is gone
Post by: essexboy on November 24, 2007, 04:25:26 PM

Hi David they are bad part of Virtumondo - latest version, might need a rootkit scan to clean them

Title: Re: fake windows security alert....control panel is gone
Post by: Maxx_original on November 24, 2007, 04:59:32 PM

we need the suspicious files... can you send them to virtotal and in case of positive results make an password protected archive and send it to virus[at]avast[dot]com?

Title: Re: fake windows security alert....control panel is gone
Post by: DavidR on November 24, 2007, 05:20:07 PM

Quote from: essexboy on November 24, 2007, 04:25:26 PM

Hi David they are bad part of Virtumondo - latest version, might need a rootkit scan to clean them

Thanks Martin.
What do you think of the Startup: entries ?
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe

@ rtate69
Based on what Martin said, here are some more tools as there may be hidden elements to this vundo infection.

- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight (http://www.f-secure.com/blacklight)
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip).
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5 (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5).

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm (http://www.antirootkit.com/software/index.htm). Try these as they are some of the more efficient and user friendly anti-rootkit tools.

Title: Re: fake windows security alert....control panel is gone
Post by: rtate69 on November 25, 2007, 08:31:24 AM

Thanks for the help guys but,i went a head and did a fresh install of xp.I would like to know if avast has problems running with firewalls(which ones are ok).Again thanks for the quick responses.

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on November 25, 2007, 09:01:42 AM

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

They'll all do the job, but zone alarm free is limited in user configuarability, so I'd pass one that one. Comodo is being used by many forum users with xp. It's easy to set up and has a good help file.

It can be downloaded from

http://filehippo.com/download_comodo/

and a setup video tutorial here

http://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/noob_install_video_guide-t4766.0.html

I only mention the two firewalls above because it is the only 2 that I have any experience with

Regardless of which one you go with, the following avast components need internet access.

avast.setup
ashwebsrv.exe
ashmaisrv.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lisandro on November 25, 2007, 01:36:06 PM

Quote from: rtate69 on November 25, 2007, 08:31:24 AM

I would like to know if avast has problems running with firewalls(which ones are ok).

With XP I suggest: Comodo, ZoneAlarm, Kerio in this order.
With Vista I suggest: PCTools, ZoneAlarm, Comodo in this order.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 10, 2007, 10:44:42 PM

I just installed Avast and it detected 45 infected files. I put all the issues in the chest because it would not repair them. Now my control panel button is gone. I want to uninstall Norton Antivirus so that Avast can run completely. I am also getting what I think is a bogus security alert. It says I have a Spyware operation running and that I should run a full scan to "pervent" any unauthorized access to my files. The "pervent" is what led me to think this was fake and I keep ignoring it. I've tried so many different things I don't know up from down now. Any suggestions?

Title: Re: fake windows security alert....control panel is gone
Post by: essexboy on December 10, 2007, 11:08:54 PM

Hi David

What do you think of the Startup: entries ?
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe

Methinks they should die, they are all variations on the virtumondo / smitfraud type trojans. They also affect the Authorisation settings of the system and they are tenacious, not the files above but the friends that they invite in

Title: Re: fake windows security alert....control panel is gone
Post by: DavidR on December 10, 2007, 11:29:20 PM

I do think they should go as I though them suspicious back in http://forum.avast.com/index.php?topic=31664.msg263931#msg263931 (http://forum.avast.com/index.php?topic=31664.msg263931#msg263931), this was mainly based on I hadn't seen them in HJT logs up to that point and I couldn't see why a user would need these settings to be startup and global. Other than they would be a very handy way of having some actions carried out for malware, Virtumondo as you mentioned back then also.

I would hope rtate69 would have fixed them based on my suspicions and your confirmation of virtumondo, back in Nov 24th. Unfortunately rtate69 decided to do a fresh install of XP on Nov 25th so we weren't able to do any further investigation (VirusTotal, etc.).

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 11, 2007, 09:53:35 PM

This should get rid of some of.

Download superantispyware (http://www.superantispyware.com/)

Open and update SAS (superantispyware)

Then boot into safe mode

Open SAS and set up as follows

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

CHECK ALL THE BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.

Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post/attach the log in your next reply if you wish.

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:24:09 AM

Ok first things first. Log from SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2007 at 05:06 PM

Application Version : 3.9.1008

Core Rules Database Version : 3360
Trace Rules Database Version: 1359

Scan type : Complete Scan
Total Scan Time : 00:43:41

Memory items scanned : 537
Memory threats detected : 0
Registry items scanned : 5865
Registry threats detected : 24
File items scanned : 37110
File threats detected : 43

Trojan.Bronto
   HKLM\Software\Classes\CLSID\{D27987B8-7244-4DE0-AE10-39B826B492F1}
   HKCR\CLSID\{D27987B8-7244-4DE0-AE10-39B826B492F1}
   HKCR\CLSID\{D27987B8-7244-4DE0-AE10-39B826B492F1}\InprocServer32
   HKCR\CLSID\{D27987B8-7244-4DE0-AE10-39B826B492F1}\InprocServer32#ThreadingModel
   HKCR\CLSID\{D27987B8-7244-4DE0-AE10-39B826B492F1}\InprocServer32#Enable Browser Extensions
   C:\WINDOWS\SYSTEM32\BRONTO.DLL

Browser Hijacker.Internet Explorer Zone Hijack
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com#*
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com#*
   HKU\S-1-5-21-3807167736-3886603645-2624093547-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com
   HKU\S-1-5-21-3807167736-3886603645-2624093547-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\05p.com#*
   HKU\S-1-5-21-3807167736-3886603645-2624093547-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com
   HKU\S-1-5-21-3807167736-3886603645-2624093547-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com#*

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@gomyhit[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@keywordmax[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@ads.revsci[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@adlegend[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@bizrate[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt

Trojan.SmartFinder
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW#UninstallString

Adware.IST/YourSiteBar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ysbactivex.dll [ ]

Adware.IST/ISTBar (Slotch Bar)
   HKU\S-1-5-21-3807167736-3886603645-2624093547-1003\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Trojan.Unclassified/WN852
   C:\DOCUMENTS AND SETTINGS\OWNER\WN852.EXE
   C:\WINDOWS\TRAYICONS.EXE

Trojan.Agent-Gen/XLaff
   C:\WINDOWS\DDEXXZ.EXE

Trojan.Agent-Gen/Tooze
   C:\WINDOWS\KSACRE.EXE

Trojan.VXGame-Gen
   C:\WINDOWS\SYSTEM32\VEDXGA4M1ET4.EXE
   C:\WINDOWS\SYSTEM32\VEDXGA4ME1.EXE
   C:\WINDOWS\SYSTEM32\VEDXGA8ME6.EXE

Trojan.Unclassified/WinDisk
   C:\WINDOWS\WINDISK.DLL

I will have to post in increments as the allowed number of characters are exceeded...........................

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:28:52 AM

This is the main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-13 21:07:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
106: 2007-12-14 03:07:36 UTC - RP1073 - Deckard's System Scanner Restore Point
105: 2007-12-13 22:19:41 UTC - RP1072 - Installed SUPERAntiSpyware Free Edition
104: 2007-12-13 18:08:57 UTC - RP1071 - Windows Defender Checkpoint
103: 2007-12-12 20:55:03 UTC - RP1070 - Software Distribution Service 3.0
102: 2007-12-12 14:49:20 UTC - RP1069 - System Checkpoint

-- First Restore Point --
1: 2007-09-15 17:23:50 UTC - RP968 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-13 21:10:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\launchpad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\X4KN3HSA\dss[1].exe
C:\Program Files\Messenger\msmsgs.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:30:16 AM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B4F9A677-88EE-C19A-29C7-4D0EFD6F3B81} - C:\WINDOWS\sdktj32.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [1F.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1F.tmp.exe 4 10001
O4 - HKLM\..\Run: [netod32.exe] C:\WINDOWS\system32\netod32.exe
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\system32\winxf.exe
O4 - HKLM\..\Run: [javaee32.exe] C:\WINDOWS\javaee32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKCU)
O15 - Trusted Zone: *.scoobidoo.com (HKCU)
O15 - Trusted Zone: *.static.topconverting.com (HKCU)
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:31:33 AM

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} () - http://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVSCAN.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBSERV.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 15600 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>

S3 PciTest (WinMTA PCI Service) - c:\windows\system32\drivers\pcitest.sys <Not Verified; Intel Corporation; Intel® Modular Test Architecture>
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:32:12 AM

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-12-13 20:55:20 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-12-13 16:00:01 396 --ah----- C:\WINDOWS\Tasks\{D22A47F0-59CD-4C90-A057-9C939463113B}_COMPUTER1_Owner.job
2007-12-13 11:09:15 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-12-13 09:00:02 396 --ah----- C:\WINDOWS\Tasks\{5A386A30-96C4-439E-B962-EAF263DBCAE1}_COMPUTER1_Owner.job
2007-12-09 08:49:51 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
2007-12-07 16:00:07 396 --ah----- C:\WINDOWS\Tasks\{C8E919EC-A77E-4639-BA6A-C06652AE23CD}_COMPUTER1_Owner.job
2004-12-26 12:15:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-13 20:04:41 0 d------c- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-12-13 20:04:06 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2007-12-13 20:04:06 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-13 20:04:06 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-12-13 20:04:05 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-12-13 20:04:05 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-13 16:20:59 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 16:19:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 16:19:45 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-13 16:18:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 20:13:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-12 20:10:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-10 20:28:02 0 d-------- C:\WINDOWS\pss
2007-12-10 19:58:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-10 19:34:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-10 19:34:33 0 d-------- C:\Program Files\Uniblue
2007-12-10 13:52:26 0 d-------- C:\Program Files\Windows Defender
2007-12-10 13:42:34 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-10 09:30:12 0 d-------- C:\Program Files\Alwil Software
2007-12-09 23:33:38 0 --a------ C:\WINDOWS\wsystmp_usl.exe
2007-12-09 23:33:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-09 23:33:04 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-09 23:33:02 59392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-09 23:32:39 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-09 23:32:35 1162732 --a------ C:\Documents and Settings\Owner\Application Data\Install.dat
2007-12-09 23:32:32 14 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-09 23:30:36 18944 --a------ C:\WINDOWS\system32\wowfx.dll
2007-12-08 18:36:29 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-06 17:57:41 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-12-06 17:57:16 0 d-------- C:\Program Files\CHARTER
2007-11-13 01:28:17 0 d-------- C:\Program Files\iPod

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:32:48 AM

-- Find3M Report ---------------------------------------------------------------

2007-12-13 20:53:50 0 d-------- C:\Program Files\Common Files
2007-12-13 16:51:13 2514 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-13 15:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-12-12 20:13:38 0 d-------- C:\Program Files\Common Files\Real
2007-12-12 08:16:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-10 13:52:06 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-12-06 17:50:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-13 09:57:06 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 01:28:47 0 d-------- C:\Program Files\iTunes
2007-11-13 01:25:30 0 d-------- C:\Program Files\QuickTime
2007-11-06 10:40:20 0 d-------- C:\Program Files\MMKids

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F9A677-88EE-C19A-29C7-4D0EFD6F3B81}]
C:\WINDOWS\sdktj32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 08:42 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [03/11/2004 04:18 PM]
"@"="" []
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [01/29/2004 08:13 PM]
"1F.tmp"="C:\DOCUME~1\Owner\LOCALS~1\Temp\1F.tmp.exe" []
"netod32.exe"="C:\WINDOWS\system32\netod32.exe" []
"winxf.exe"="C:\WINDOWS\system32\winxf.exe" []
"javaee32.exe"="C:\WINDOWS\javaee32.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05/05/2005 07:40 PM]
"msnappau"="C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [06/09/2005 01:56 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/17/2006 10:05 AM]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" [04/15/2005 10:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 10:11 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"Undefined"="C:\WINDOWS\system32\winter.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 07:00 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/12/2007 08:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [03/06/2007 06:00 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [01/04/2005 11:50 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Undefined"="C:\WINDOWS\system32\winter.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [12/05/2007 03:51 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [8/9/2004 4:03:42 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 7:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 7:50:52 PM]
Launchpad.lnk - C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe [12/26/2004 12:12:08 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 3:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:33:22 AM

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\proper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-12-13 21:12:52 ------------

This is the extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.66GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 246.8 MiB / 72.74 MiB
Pagefile Memory (total/avail): 605.96 MiB / 160.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.05 MiB

C: is Fixed (NTFS) - 57.26 GiB total, 38.88 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - HDS722580VLAT20 - 57.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 57.26 GiB - C:

\\.\PHYSICALDRIVE1 - IOMEGA ZIP 100

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE5 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE6 - HP PSC 1610xi USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation) Outdated
AV: avast! antivirus 4.7.1098 [VPS 071213-0] v4.7.1098 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:America Online 9.0"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:34:47 AM

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
ICM_532_INF_PATH=C:\WINDOWS\INF\oem29.inf
ICM_532_INSTALL_DIR=C:\Program Files\IC Media Corp.\ICM532\Driver
ICM_532_PNF_PATH=C:\WINDOWS\INF\oem29.pnf
ICM_532_PRODUCT_VER=1.4.0.0
LOGONSERVER=\\COMPUTER1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\MSN Messenger\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=COMPUTER1
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop Album 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A367C28-423C-48E2-8C76-EBA1171F932A}\apxp.ex_" -l0x9
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:35:32 AM

avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
Charter High Speed Internet Self-Installation Wizard --> MsiExec.exe /I{5AF8C46D-A141-4E69-9EB5-76A43ED29281}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Ezonics Greeting Cam Deluxe --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ezonics\Ezonics Greeting Cam Deluxe\Uninst.isu"
EZPhoto Browser --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A393E43-9F1B-4B4D-AFC3-E4B6663F6DD3}\Setup.exe"
EZPhoto Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED8F2441-E5B9-4F48-82AD-759C17A68ADB}\Setup.exe"
EZShowtime MMS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5FB2EF0E-0254-4B7E-98C9-7F83E0C5E6C2}\Setup.exe"
EZSuite For EZCam III --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{313AA16E-8C61-410C-A225-917462421659}\Setup.exe" -l0x9
EZVideo Mail 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8D4B52-52E5-41EF-9C43-8CDF1527DDFD}\Setup.exe" -l0x9
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HP Extended Capabilities 4.7 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Image Zone 4.7 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
ICM532 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FD3DF65-694C-4F71-97BA-1A70BB2B8B9C}\setup.exe" -l0x9
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iTunes --> MsiExec.exe /I{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' RogueRemover 1.22 --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft ActiveSync 3.8 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Outlook 2000 SR-1 --> MsiExec.exe /I{00160409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Minute Menu Kids --> "C:\Program Files\MMKids\unins000.exe"
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\unins000.exe"
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\mtbs.exe c
NetZero Internet --> "C:\Program Files\NetZero\NetZeroUninstaller.exe"
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2005 (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SCSSDist MSI --> MsiExec.exe /I{541230A3-1D3A-4879-B7E0-E71F90E35548}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8F7C1E5-0150-11D6-A96C-00D05908F85D}\Setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 14, 2007, 04:37:08 AM

-- Application Event Log -------------------------------------------------------

Event Record #/Type35791 / Error
Event Submitted/Written: 12/13/2007 09:10:39 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type35782 / Success
Event Submitted/Written: 12/13/2007 09:01:41 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type35754 / Warning
Event Submitted/Written: 12/13/2007 07:57:19 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type35746 / Success
Event Submitted/Written: 12/13/2007 06:46:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type35730 / Warning
Event Submitted/Written: 12/13/2007 06:37:03 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type47378 / Error
Event Submitted/Written: 12/13/2007 09:00:59 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Messenger Sharing Folders USN Journal Reader service service failed to start due to the following error:
%%1053

Event Record #/Type47377 / Error
Event Submitted/Written: 12/13/2007 09:00:59 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Messenger Sharing Folders USN Journal Reader service service to connect.

Event Record #/Type47376 / Error
Event Submitted/Written: 12/13/2007 09:00:46 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1053" attempting to start the service usnjsvc with arguments ""
in order to run the server:
{98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Event Record #/Type47340 / Error
Event Submitted/Written: 12/13/2007 08:51:00 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type47336 / Error
Event Submitted/Written: 12/13/2007 08:05:15 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
Fips
intelppm
SASDIFSV
SASKUTIL
SAVRTPEL
SPBBCDrv
SYMTDI

-- End of Deckard's System Scanner: finished at 2007-12-13 21:12:52 ------------

A lot of info I hope you can help. When I was in safe mode and logged in under administrater I noticed that the control panel was there. When I logged back in under the normal user it was not there again. I don't know if that helps you at all. Thanks for the help!

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 14, 2007, 06:27:47 PM

You have more than one antivirus program, One is disabled and the other is out of date. Please do not use the internet except to dowmload tools and check this thread, until this is resolved.

There's a few things we have to turn back on. We'll start with this

To repair taskmanager
run SuperAntispyware

Start the programme
On the main page select preferences
Next select the repair tab
Left click Enable Task Manager
Left click perform repair

I'll post the fix for the others, as soon as I can.

Download ComboFix from Here (http://"http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe") or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and the DSS log along with a new HJT
log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Let the scan run, even if it looks like it isn't doing anyhting, if you see any HD activity, combo fix is running.

Title: Re: fake windows security alert....control panel is gone
Post by: essexboy on December 14, 2007, 06:55:04 PM

Download the following 2 fixes from my site http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files The files you want are
Regtmcdrrestore.vbs run this first then run controlpanelrestrictionrestore.reg

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 15, 2007, 07:01:29 AM

Hi there,
I ran the superantispyware and it worked well. Then I also downloaded the combofix and it wouldn't complete. First Norton intercepted it. Somehow the control panel came back and so I uninstalled Norton as well as a couple of mistake installs from this week. The combofix made it through 38 steps and then stopped on a screen that says deleting files/folders and proceeded to stay that way for three hours. I finally shut it down and tried it again and the same thing happened. Any ideas as to where I should go from here? Thanks

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 15, 2007, 08:33:17 AM

I don't know why combofix stalled. Can you check in windows explorer in this location

c:\combofix

for a log or a txt file. If you find one please post it.

If control panel is back, you will only have to download one file from essexboy's post (it's right above your last one), download and run

Regtmcdrrestore.vbs

then make sure you did this

To repair taskmanager
run SuperAntispyware

Start the programme
On the main page select preferences
Next select the repair tab
Left click Enable Task Manager
Left click perform repair

Also is avast up and running again?

Please post a new DSS log and we will procede.

Title: Norton Removal
Post by: Spiritsongs on December 15, 2007, 09:47:39 PM

:) Hi Lava25 :

You have to do more than just "uninstall" Norton; should ALSO run THEIR
"Removal Tool", which is available at
www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html .

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 16, 2007, 02:07:36 AM

Thanks Spiritsongs , I thought I had posted the complete norton removal instructions, including instructions for reinstalling avast. Maybe the post got lost in the strange forum behavior.

@Lava25

Is avast working??

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 05:20:31 PM

Avast seems to be working as far as I know. It is updating and showing in the lower right corner as well. I will follow your instructions for the uninstall of Norton. Then I will continue to try the combofix and previous instructions. The control panel is back though so that helps a lot. There has also been an error that comes up when it reboots. I'll write it down after the next reboot and post it.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 05:57:48 PM

;)Alright here is the latest Dss log and the error I keep getting is that this file was typed in incorrectly and to try again:
'c:\windows\system32\proper\exe'
Thnaks again for all of your help!
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-17 10:51:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-17 10:51:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IC Media Corp\ICM532\launchpad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 05:58:21 PM

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B4F9A677-88EE-C19A-29C7-4D0EFD6F3B81} - C:\WINDOWS\sdktj32.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [1F.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1F.tmp.exe 4 10001
O4 - HKLM\..\Run: [netod32.exe] C:\WINDOWS\system32\netod32.exe
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\system32\winxf.exe
O4 - HKLM\..\Run: [javaee32.exe] C:\WINDOWS\javaee32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKCU)
O15 - Trusted Zone: *.scoobidoo.com (HKCU)
O15 - Trusted Zone: *.static.topconverting.com (HKCU)
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} () - http://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 05:59:23 PM

--
End of file - 11470 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-14 10:44:46 0 d-------- C:\Program Files\iWin
2007-12-13 20:04:41 0 d------c- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-12-13 20:04:06 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2007-12-13 20:04:06 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-13 20:04:06 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-12-13 20:04:05 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-12-13 20:04:05 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-13 16:20:59 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 16:19:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 16:19:45 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-13 16:18:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 20:13:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-12 20:10:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-10 20:28:02 0 d-------- C:\WINDOWS\pss
2007-12-10 19:58:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-10 19:34:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-10 13:52:26 0 d-------- C:\Program Files\Windows Defender
2007-12-10 13:42:34 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-10 09:30:12 0 d-------- C:\Program Files\Alwil Software
2007-12-09 23:33:38 0 --a------ C:\WINDOWS\wsystmp_usl.exe
2007-12-09 23:33:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-09 23:33:04 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-09 23:33:02 59392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-09 23:32:39 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-09 23:32:35 1162732 --a------ C:\Documents and Settings\Owner\Application Data\Install.dat
2007-12-09 23:32:32 14 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-09 23:30:36 18944 --a------ C:\WINDOWS\system32\wowfx.dll
2007-12-08 18:36:29 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-06 17:57:41 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-12-06 17:57:16 0 d-------- C:\Program Files\CHARTER

-- Find3M Report ---------------------------------------------------------------

2007-12-17 10:26:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 22:21:46 0 d-------- C:\Program Files\BigFix
2007-12-15 18:24:30 0 d-------- C:\Program Files\Common Files
2007-12-13 16:51:13 2514 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-13 15:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-12-12 20:13:38 0 d-------- C:\Program Files\Common Files\Real
2007-12-10 13:52:06 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-12-06 17:50:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-13 09:57:06 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 01:28:47 0 d-------- C:\Program Files\iTunes
2007-11-13 01:28:17 0 d-------- C:\Program Files\iPod
2007-11-13 01:25:30 0 d-------- C:\Program Files\QuickTime
2007-11-06 10:40:20 0 d-------- C:\Program Files\MMKids

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F9A677-88EE-C19A-29C7-4D0EFD6F3B81}]
C:\WINDOWS\sdktj32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 16:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 20:13]
"1F.tmp"="C:\DOCUME~1\Owner\LOCALS~1\Temp\1F.tmp.exe" []
"netod32.exe"="C:\WINDOWS\system32\netod32.exe" []
"winxf.exe"="C:\WINDOWS\system32\winxf.exe" []
"javaee32.exe"="C:\WINDOWS\javaee32.exe" []
"msnappau"="C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [2005-06-09 13:56]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 10:01 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-12 20:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Launchpad.lnk - C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe [2004-12-26 12:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\system32\proper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-12-17 10:52:02 ------------

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 16, 2007, 08:36:52 PM

Open HJt and run a system scan only, place a check mark next to these lines if present

O2 - BHO: (no name) - {B4F9A677-88EE-C19A-29C7-4D0EFD6F3B81} - C:\WINDOWS\sdktj32.dll (file missing)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKCU)
O15 - Trusted Zone: *.scoobidoo.com (HKCU)
O15 - Trusted Zone: *.static.topconverting.com (HKCU)

close all browsers and windows, click fix.

Boot into safe mode and run combofix from there.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Do the following only if combofix stalls after 20 0r so minutes.

If it does, open Task Manager (press ctrl, alt and del at the same time) then Processes tab and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please post the combofix log and a new HJT log.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 10:37:29 PM

This is the combofix test file:
ComboFix 07-12-16.4 - Owner 2007-12-17 15:20:16.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.61 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

This is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:34, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 16, 2007, 10:37:57 PM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [netod32.exe] C:\WINDOWS\system32\netod32.exe
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\system32\winxf.exe
O4 - HKLM\..\Run: [javaee32.exe] C:\WINDOWS\javaee32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9483 bytes

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 16, 2007, 10:45:10 PM

Did combofix complete it's run. The log is incomplete.

Give me another DSS log please.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:13:46 AM

It seemed too. Also I just noticed that a file folder showed up on my desktop that says catchme.zip. Do you know if that is supposed to be there? Here is the latest DSS log:
Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-17 18:09:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:14:29 AM

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [netod32.exe] C:\WINDOWS\system32\netod32.exe
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\system32\winxf.exe
O4 - HKLM\..\Run: [javaee32.exe] C:\WINDOWS\javaee32.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:14:53 AM

--
End of file - 9484 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 15:23:35 60416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys
2007-12-17 14:46:52 0 d-------- C:\Program Files\Trend Micro
2007-12-14 10:44:46 0 d-------- C:\Program Files\iWin
2007-12-13 20:04:41 0 d------c- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-12-13 20:04:06 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2007-12-13 20:04:06 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-13 20:04:06 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-12-13 20:04:05 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-12-13 20:04:05 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-13 16:20:59 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 16:19:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 16:19:45 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-13 16:18:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 20:13:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-12 20:10:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-10 20:28:02 0 d-------- C:\WINDOWS\pss
2007-12-10 19:58:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-10 19:34:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-10 13:52:26 0 d-------- C:\Program Files\Windows Defender
2007-12-10 13:42:34 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-10 09:30:12 0 d-------- C:\Program Files\Alwil Software
2007-12-09 23:33:38 0 --a------ C:\WINDOWS\wsystmp_usl.exe
2007-12-09 23:33:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-09 23:33:04 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-09 23:33:02 59392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-09 23:32:39 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-09 23:32:32 14 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-08 18:36:29 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-06 17:57:41 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-12-06 17:57:16 0 d-------- C:\Program Files\CHARTER

-- Find3M Report ---------------------------------------------------------------

2007-12-17 10:26:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 22:21:46 0 d-------- C:\Program Files\BigFix
2007-12-15 18:24:30 0 d-------- C:\Program Files\Common Files
2007-12-13 16:51:13 2514 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-13 15:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-12-12 20:13:38 0 d-------- C:\Program Files\Common Files\Real
2007-12-10 13:52:06 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-12-06 17:50:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-13 09:57:06 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 01:28:47 0 d-------- C:\Program Files\iTunes
2007-11-13 01:28:17 0 d-------- C:\Program Files\iPod
2007-11-13 01:25:30 0 d-------- C:\Program Files\QuickTime
2007-11-06 10:40:20 0 d-------- C:\Program Files\MMKids

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 16:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 20:13]
"netod32.exe"="C:\WINDOWS\system32\netod32.exe" []
"winxf.exe"="C:\WINDOWS\system32\winxf.exe" []
"javaee32.exe"="C:\WINDOWS\javaee32.exe" []
"msnappau"="C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [2005-06-09 13:56]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 10:01 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-12 20:12]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Launchpad.lnk - C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe [2004-12-26 12:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-12-17 18:10:12 ------------

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 01:20:50 AM

Quote

It seemed too. Also I just noticed that a file folder showed up on my desktop that says catchme.zip.

Yes, hang on to it. I'll find the site for you to send it to.

Give a few minutes to go over the logs.

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 01:25:17 AM

Open HJT, run system scan only and check mark the following lines if present

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [netod32.exe] C:\WINDOWS\system32\netod32.exe
O4 - HKLM\..\Run: [winxf.exe] C:\WINDOWS\system32\winxf.exe
O4 - HKLM\..\Run: [javaee32.exe] C:\WINDOWS\javaee32.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab

close all browsers/windows, click fix. Close HJT,

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\netod32.exe
C:\WINDOWS\system32\winxf.exe
C:\WINDOWS\javaee32.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMOVEIT results and a new DSS log

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:47:18 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8919 bytes

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:49:18 AM

This is the OTMoveIt log
File/Folder C:\WINDOWS\system32\netod32.exe not found.
File/Folder C:\WINDOWS\system32\winxf.exe not found.
File/Folder C:\WINDOWS\javaee32.exe not found.

Created on 12-17-2007 18:47:07

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:51:02 AM

Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-17 18:48:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:51:59 AM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 01:53:06 AM

--
End of file - 9080 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 15:23:35 60416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys
2007-12-17 14:46:52 0 d-------- C:\Program Files\Trend Micro
2007-12-14 10:44:46 0 d-------- C:\Program Files\iWin
2007-12-13 20:04:41 0 d------c- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-12-13 20:04:06 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2007-12-13 20:04:06 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-13 20:04:06 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-12-13 20:04:05 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-12-13 20:04:05 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-13 16:20:59 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 16:19:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 16:19:45 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-13 16:18:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 20:13:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-12 20:10:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-10 20:28:02 0 d-------- C:\WINDOWS\pss
2007-12-10 19:58:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-10 19:34:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-10 13:52:26 0 d-------- C:\Program Files\Windows Defender
2007-12-10 13:42:34 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-10 09:30:12 0 d-------- C:\Program Files\Alwil Software
2007-12-09 23:33:38 0 --a------ C:\WINDOWS\wsystmp_usl.exe
2007-12-09 23:33:06 87552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-09 23:33:04 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-09 23:33:02 59392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-09 23:32:39 138240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-09 23:32:32 14 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2007-12-08 18:36:29 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-06 17:57:41 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-12-06 17:57:16 0 d-------- C:\Program Files\CHARTER

-- Find3M Report ---------------------------------------------------------------

2007-12-17 10:26:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 22:21:46 0 d-------- C:\Program Files\BigFix
2007-12-15 18:24:30 0 d-------- C:\Program Files\Common Files
2007-12-13 16:51:13 2514 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-13 15:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-12-12 20:13:38 0 d-------- C:\Program Files\Common Files\Real
2007-12-10 13:52:06 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-12-06 17:50:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-13 09:57:06 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 01:28:47 0 d-------- C:\Program Files\iTunes
2007-11-13 01:28:17 0 d-------- C:\Program Files\iPod
2007-11-13 01:25:30 0 d-------- C:\Program Files\QuickTime
2007-11-06 10:40:20 0 d-------- C:\Program Files\MMKids

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 16:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 20:13]
"msnappau"="C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [2005-06-09 13:56]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 10:01 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-12 20:12]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Launchpad.lnk - C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe [2004-12-26 12:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-12-17 18:48:59 ------------

By the way I am in awe of your wisdom!

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 01:58:16 AM

Looking better. Please submit these files to virustotal

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\xnnnav.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\wsystmp_usl.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 02:04:16 AM

1st one:
said already been analysed
MD5: dd269e03ed85557e1fd7f9bd6d52adb7
Date: 12.11.2007 03:22:56 (CET) [>5D]
Results: 23/32
Permalink: resultado.html?861530b0b5686c18ad8bbeb2723418d9

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 02:53:50 AM

Ok, check the others and let me know, We may be almost done. How are things on your end?

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:00:00 AM

File has already been analysed:
MD5: fd0a0c863e38e5f2a569a7e8dcc3b1d8
Date: 12.11.2007 17:00:22 (CET) [>5D]
Results: 3/32
Permalink: resultado.html?7ef8d3c1c6db333260514020c1a2b2c0

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:02:10 AM

Sorry about the delay, for some reason unknown the last upload took an hour so I stopped it and tried again and it went right away. Must have been something with my connection? I'll continue to post the others........File has already been analysed:
MD5: e620fb0e4f3bd208ce6e75b25df21542
Date: 12.10.2007 11:48:02 (CET) [>6D]
Results: 9/32
Permalink: resultado.html?ebed416f7b9f4054e6b253e66cea9977

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:10:31 AM

File dllgh8jkd1q8.exe received on 12.17.2007 03:02:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 45 and 65 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.12.15.10 2007.12.14 -
AntiVir 7.6.0.45 2007.12.16 -
Authentium 4.93.8 2007.12.16 -
Avast 4.7.1098.0 2007.12.16 -
AVG 7.5.0.503 2007.12.16 -
BitDefender 7.2 2007.12.17 -
CAT-QuickHeal 9.00 2007.12.15 -
ClamAV 0.91.2 2007.12.17 -
DrWeb 4.44.0.09170 2007.12.16 -
eSafe 7.0.15.0 2007.12.16 -
eTrust-Vet 31.3.5375 2007.12.14 -
Ewido 4.0 2007.12.16 -
FileAdvisor 1 2007.12.17 -
Fortinet 3.14.0.0 2007.12.16 -
F-Prot 4.4.2.54 2007.12.17 -
F-Secure 6.70.13030.0 2007.12.17 -
Ikarus T3.1.1.15 2007.12.17 -
Kaspersky 7.0.0.125 2007.12.17 -
McAfee 5186 2007.12.14 -
Microsoft 1.3109 2007.12.17 -
NOD32v2 2723 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.16 -
Prevx1 V2 2007.12.17 -
Rising 20.22.41.00 2007.12.14 -
Sophos 4.24.0 2007.12.16 -
Sunbelt 2.2.907.0 2007.12.15 -
Symantec 10 2007.12.15 -
TheHacker 6.2.9.160 2007.12.14 -
VBA32 3.12.2.5 2007.12.14 -
VirusBuster 4.3.26:9 2007.12.16 -
Webwasher-Gateway 6.6.2 2007.12.17 -
Additional information
File size: 14 bytes
MD5: cfab9fd1ca5876c847332170a8486b29
SHA1: 2b09b878ea36f056dd34e500dcca17c745320c3a
PEiD: -

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:12:30 AM

0 bytes size received / Se ha recibido un archivo vacio
This is how the last one came up. Not sure why it is different but I am sure you are.

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 03:39:59 AM

Let me know of any problems after you do this

Use OTMOVEIT TO BANISH THESE

C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\xnnnav.exe
C:\WINDOWS\system32\dllgh8jkd1q8.exe
C:\WINDOWS\wsystmp_usl.exe
C:\Documents and Settings\Owner\Application Data\wklnhst.dat

Post the results and a new DSS log. Thanks

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:43:43 AM

C:\WINDOWS\system32\spoolc.exe moved successfully.
C:\WINDOWS\derc32xz.exe moved successfully.
C:\WINDOWS\xnnnav.exe moved successfully.
C:\WINDOWS\system32\dllgh8jkd1q8.exe moved successfully.
C:\WINDOWS\wsystmp_usl.exe moved successfully.
C:\Documents and Settings\Owner\Application Data\wklnhst.dat moved successfully.
File/Folder not found.

Created on 12-17-2007 20:41:26
DSS log next........

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:45:36 AM

Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-17 20:42:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:42, on 2007-12-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:46:19 AM

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103922804920
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:47:17 AM

End of file - 8953 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 15:23:35 60416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys
2007-12-17 14:46:52 0 d-------- C:\Program Files\Trend Micro
2007-12-14 10:44:46 0 d-------- C:\Program Files\iWin
2007-12-13 20:04:41 0 d------c- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2007-12-13 20:04:06 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2007-12-13 20:04:06 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Desktop
2007-12-13 20:04:06 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2007-12-13 20:04:06 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Sun
2007-12-13 20:04:06 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-12-13 20:04:06 0 d------c- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2007-12-13 20:04:05 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2007-12-13 20:04:05 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2007-12-13 20:04:05 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2007-12-13 20:04:05 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-13 16:20:59 0 d------c- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 16:19:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-13 16:19:45 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-12-13 16:18:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 20:13:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-12-12 20:10:27 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-10 20:28:02 0 d-------- C:\WINDOWS\pss
2007-12-10 19:58:09 0 d-------- C:\Program Files\RogueRemover FREE
2007-12-10 19:34:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2007-12-10 13:52:26 0 d-------- C:\Program Files\Windows Defender
2007-12-10 13:42:34 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-10 09:30:12 0 d-------- C:\Program Files\Alwil Software
2007-12-09 23:33:04 291328 --a------ C:\WINDOWS\system32\libcurl.dll <Not Verified; The cURL library, http://curl.haxx.se/; The cURL library>
2007-12-08 18:36:29 237568 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-06 17:57:41 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-12-06 17:57:16 0 d-------- C:\Program Files\CHARTER

-- Find3M Report ---------------------------------------------------------------

2007-12-17 10:26:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 22:21:46 0 d-------- C:\Program Files\BigFix
2007-12-15 18:24:30 0 d-------- C:\Program Files\Common Files
2007-12-13 15:47:47 0 d-------- C:\Documents and Settings\Owner\Application Data\Identities
2007-12-12 20:13:38 0 d-------- C:\Program Files\Common Files\Real
2007-12-10 13:52:06 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-12-06 17:50:09 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-13 09:57:06 0 d-------- C:\Program Files\Apple Software Update
2007-11-13 01:28:47 0 d-------- C:\Program Files\iTunes
2007-11-13 01:28:17 0 d-------- C:\Program Files\iPod
2007-11-13 01:25:30 0 d-------- C:\Program Files\QuickTime
2007-11-06 10:40:20 0 d-------- C:\Program Files\MMKids

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 16:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 20:13]
"msnappau"="C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe" [2005-06-09 13:56]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 10:01 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-12 20:12]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 11:50]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Launchpad.lnk - C:\Program Files\IC Media Corp.\ICM532\Launchpad.exe [2004-12-26 12:12:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2007-12-17 20:43:03 ------------

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 04:34:22 AM

Okay.it looks good.

Can you rename catchme.zip to something else.zip? I'll let you know what to do with it.

If you are not experiencing any problems, we'll start cleaning up. If you are having problems let me know now before proceding.

1.Click start button, click run, copy and paste this line into the box and click ok

combofix /u

2. double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

3.Clean out some old restore points.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point

4.Remove old restore points

Disk Cleanup
- Go to Start - All Programs - Accessories, Launch the Disk Cleanup tool let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

5.Your java is way out of date,

Open an Internet Explorer (only) window and go to http://www.java.com/en/download/manual.jsp > In the middle of the page, click on the Download button to the right of Java Runtime Environment (JRE) 6u3 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u3-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar except Java TM 6 Update 3 which you just installed.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders except the subfolder jre1.6.0_03 which was just created by the installation above.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

6.I didn't see a firewall besides windows firwall, you may want to check out this link for a good free firewall that provides outbound protection.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

7.And this is good all perpose cleaner if you don't all ready have one. When first run, it is in demo mode to show you what it will remove. When you run it the second time make sure it's not still in demo mode.

CleanUp (http://www.stevengould.org/downloads/cleanup/)

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 05:57:55 AM

OK I changed the file name to workingitout.zip and when I went to run the cleanup it says that it is unable to contact the internet and that cleanup failed, even though I am connnected. Ever had that before? I tried to restart and try again and the same happened.

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 17, 2007, 03:03:51 PM

Yes you have to allow otmoveit to connect to the internet, though with windows firewall, that shouldn't be a problem as windows firewall doesn't moniter out bound traffic. do you have a router with a firewall?

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:26:13 PM

I really don't know, I only know of the windows firewall. Unless something that you had me install is blocking it? I doubt it. I'll look around and do a search and see if I find anything.

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 17, 2007, 03:43:49 PM

I just don't know what to look for. I searched for firewalls and routers and I did get two files for router but I didn't touch them. Router.dsp and IARouter.dll I don't think that is what you are looking for but I guess you would know more than me. I'm practically a blank slate when it comes to computers as you have seen. Let me know if you think of anything.

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 18, 2007, 02:55:32 PM

Hi Lava25, sorry about the delay

If you still can't get the OTMOVEIT cleanup button to work

uninstall HJT via add/remove programs

delete these folders

C:\Deckard
C:\OTMOVEIT
C:\Qoobox (if present)

That zip file can be deleted, empty the recycle bin after

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 18, 2007, 04:55:30 PM

The above tasks are completed! I can't thank you enough, you saved my sanity! Is my computer done with the nightmare now?

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 18, 2007, 05:33:25 PM

As far as I can tell, you are good to go. :) Are you having any problems?

Title: Re: fake windows security alert....control panel is gone
Post by: Lava25 on December 18, 2007, 05:46:31 PM

Nope, I don't see anything wrong right now! Good as new! Thanks again!!! ;D

Title: Re: fake windows security alert....control panel is gone
Post by: oldman on December 18, 2007, 05:48:24 PM

You're welcome. Keep safe and please concider a third party firewall

Happy holidays.