Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Security System Protection Control Panel & System Integrity Scan Wizard Popups

  • Please log in to reply
2 replies to this topic

#1 Dark Eagle

Dark Eagle

  • Members
  • 3 posts
  • Local time:02:07 AM

Posted 19 April 2008 - 02:30 AM

My PC is infected with 3 malware popups named Security System Proctection Control Panel, System Integrity Scan Wizard and Security System Warning (the last one telling me I have Abebot). I have tried to get rid of them with Kaspersky Antit-Virus, Adaware, spyware sweeper, and SpybotSD, but they are still running. I didn't run the online scan by Kaspersky because I have the most recent version installed and running on my PC. When I ran a rootkit scan with KAV, it took just over four hours and reported my PC was clean. So for whatever reason Kaspersky is not picking up these three forms of malware. Following all other directions on your preliminary instruction list I used Deckard's System Scanner to make two Hijack This files. They are pasted in below. Please take a look and tell me what I should do to get rid of this malware. Thank you very much for this valuable service you are providing.

-- Dark Eagle

Deckard's System Scanner v20071014.68
Run by Perry H. Chesnut on 2008-04-18 23:11:18
Computer is in Normal Mode.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Perry H. Chesnut.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:35 PM, on 4/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
F:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
F:\Program Files\Paltalk Messenger\paltalk.exe
F:\Documents and Settings\Perry H. Chesnut\Desktop\dss.exe
F:\Program Files\Webroot\Spy Sweeper\SSU.EXE
F:\PROGRA~1\TRENDM~1\HIJACK~1\Perry H. Chesnut.exe

R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TotalRecorderScheduler] "F:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] "F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" /S
O4 - HKCU\..\Run: [spjpufts] F:\WINNT\system32\lulsfqte.exe
O4 - HKLM\..\Policies\Explorer\Run: [KNG7wKNG7w] F:\Documents and Settings\All Users\Application Data\ylopuxad\apenonaf.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: PalTalk.lnk = F:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Lookup on CD - F:\AHD4WITHTHESAURUS\ahd.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - F:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - F:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - F:\AHD4WITHTHESAURUS\ahd.htm (HKCU)
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1156390645058
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156396209932
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88E6EBB1-4A71-40D7-B15F-214E012D49E5}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{88E6EBB1-4A71-40D7-B15F-214E012D49E5}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =
O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)
O21 - SSODL: omlbpkaw - {B1941939-5DD1-4A08-9128-A2A02263F190} - (no file)
O21 - SSODL: pmsoarbf - {97E841FB-7287-4FDF-89AC-FB1FD2B2680A} - F:\WINNT\pmsoarbf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINNT\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: Privacy Protection - file:///F:\WINNT\privacy_danger\index.htm

End of file - 7310 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 FileDisk - f:\winnt\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo BrantÚn); filedisk (based on original work by Bo BrantÚn)>
R2 MCSTRM - f:\winnt\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager« (32-bit)>

S3 LTower (LEGO USB Tower Driver) - f:\winnt\system32\drivers\ltower.sys <Not Verified; The LEGO Group; LEGO USB Tower Driver>
S3 PciCon - d:\pcicon.sys (file missing)
S3 vtdg46xx - f:\program files\turtle beach\santa cruz\control panel\vtdg46xx.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_80E21043&REV_10\3&61AAA01&0&28

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_11E09004&REV_02\4&36EC0E2&0&4268
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1033&DEV_00E0&SUBSYS_11E09004&REV_02\4&36EC0E2&0&4268

-- Scheduled Tasks -------------------------------------------------------------

2008-04-18 14:00:00 1556 --a------ F:\WINNT\Tasks\wrSpySweeper_387E46AB0CFF496081AB31CCE44ED9B4.job
2008-04-17 17:00:11 1664 --a------ F:\WINNT\Tasks\wrSpySweeper_A2328A9E87994F96850F3C976E2B7C0B.job

-- Files created between 2008-03-18 and 2008-04-18 -----------------------------

2008-04-18 23:46:23 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_60c.dat
2008-04-18 20:59:22 0 d-------- F:\Program Files\Trend Micro
2008-04-18 14:58:41 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_4e4.dat
2008-04-18 13:00:19 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_5e0.dat
2008-04-18 08:46:37 0 d-------- F:\WINNT\privacy_danger
2008-04-17 13:25:26 0 d-------- F:\Program Files\Lavasoft
2008-04-17 13:25:25 0 d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-17 13:23:35 0 d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-04-17 10:30:16 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_648.dat
2008-04-16 19:04:38 102400 --a------ F:\WINNT\system32\lulsfqte.exe
2008-04-16 17:14:00 0 d-------- F:\Documents and Settings\Perry H. Chesnut\Application Data\TmpRecentIcons
2008-04-16 15:45:57 38400 --a------ F:\WINNT\system32\ddcDuTKe.dll
2008-04-16 15:22:14 4096 --a------ F:\WINNT\system32taack.dat
2008-04-16 15:21:55 4096 --a------ F:\WINNT\system32hxiwlgpm.dat
2008-04-16 15:09:57 4096 --a------ F:\WINNT\system32ssvchost.com
2008-04-16 15:09:08 94208 --a------ F:\WINNT\rtqmekwg.exe
2008-04-16 15:07:49 4096 --a------ F:\WINNT\system32bdn.com
2008-04-16 15:07:37 155648 --a------ F:\WINNT\qtvglped.dll
2008-04-16 15:06:06 94208 --a------ F:\WINNT\npqtsrak.exe
2008-04-16 15:04:18 188416 --a------ F:\WINNT\pmsoarbf.dll
2008-04-16 14:56:04 0 d-------- F:\Documents and Settings\All Users\Application Data\ylopuxad
2008-04-16 14:49:20 106496 --a------ F:\WINNT\system32\ihshizqj.exe
2008-04-16 11:35:26 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_560.dat
2008-04-11 16:36:34 0 d-------- F:\BibSchol
2008-04-11 16:36:07 13564 --a------ F:\WINNT\INSTALL.DAT
2008-04-03 10:32:36 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_638.dat
2008-03-28 08:33:24 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_668.dat
2008-03-26 07:56:24 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_654.dat

-- Find3M Report ---------------------------------------------------------------

2008-04-18 14:55:20 1017302 ---h----- F:\WINNT\ShellIconCache
2008-04-17 13:23:35 0 d-a------ F:\Program Files\Common Files
2008-04-13 23:37:06 0 d-------- F:\Program Files\JP Tanach
2008-04-13 23:36:37 0 d-------- F:\Program Files\work
2008-03-17 10:34:28 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_674.dat
2008-03-07 21:09:28 4 --a------ F:\WINNT\system32\052C15
2008-03-04 12:14:23 0 d-------- F:\Program Files\Common Files\Adobe
2008-03-03 22:26:13 2557 --a------ F:\WINNT\unins000.dat
2008-03-03 21:05:22 691545 --a------ F:\WINNT\unins000.exe
2008-03-02 23:11:24 0 d-------- F:\Program Files\Judaic Bookshelf
2008-03-02 23:06:42 286720 --a------ F:\WINNT\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller>
2008-03-02 22:19:15 216064 --a------ F:\WINNT\iun3405.exe <Not Verified; Indigo Rose Corporation; Indigo Rose Corporation unin32>
2008-03-02 12:48:38 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_608.dat
2008-02-23 14:02:51 0 d-------- F:\Program Files\LizardTech
2008-02-07 12:00:53 16384 --a-----t F:\WINNT\system32\Perflib_Perfdata_59c.dat
2008-02-05 13:43:28 1942 --a------ F:\WINNT\mozver.dat
2008-01-22 14:05:17 164 --a------ F:\install.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

"TotalRecorderScheduler"="F:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [12/05/06 08:49p]
"NeroFilterCheck"="F:\WINNT\system32\NeroCheck.exe" [07/09/01 03:50a]
"NvCplDaemon"="RUNDLL32.exe" [12/07/99 05:00a F:\WINNT\system32\rundll32.exe]
"nwiz"="nwiz.exe" [10/22/06 12:22p F:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [12/07/99 05:00a F:\WINNT\system32\rundll32.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p F:\WINNT\system32\mobsync.exe]
"SMSystemAnalyzer"="F:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" [06/18/07 05:09p]
"AVP"="F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/07 12:51p]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 11:16p]
"SpySweeper"="F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/08 09:56p]

"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/03/07 09:41p]
"@"="" []
"Uniblue RegistryBooster 2"="F:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [06/12/07 04:11p]
"spjpufts"="F:\WINNT\system32\lulsfqte.exe" [04/16/08 07:04p]

"^SetupICWDesktop"=F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

F:\Documents and Settings\Perry H. Chesnut\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - F:\Program Files\Microsoft Office\Office\FINDFAST.EXE [12/9/1996]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PalTalk.lnk - F:\Program Files\Paltalk Messenger\paltalk.exe [12/11/2007 1:34:40 PM]

"KNG7wKNG7w"=F:\Documents and Settings\All Users\Application Data\ylopuxad\apenonaf.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///F:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

"pmsoarbf"= {97E841FB-7287-4FDF-89AC-FB1FD2B2680A} - F:\WINNT\pmsoarbf.dll [04/16/08 08:00a 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATINotify]





-- End of Deckard's System Scanner: finished at 2008-04-18 23:53:19 ------------

------------------------------------------------ here is the second Hijack This file -----------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ Processor
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1279.47 MiB / 740.12 MiB
Pagefile Memory (total/avail): 1898.42 MiB / 1443.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.89 MiB

A: is Removable (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 127.99 GiB total, 49.98 GiB free.
G: is Fixed (NTFS) - 127.99 GiB total, 32.02 GiB free.

\\.\PHYSICALDRIVE1 - ST3160023A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - G:

\\.\PHYSICALDRIVE0 - ST3160812A - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - F:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\Perry H. Chesnut\Application Data
CommonProgramFiles=F:\Program Files\Common Files
HOMEPATH=\Documents and Settings\Perry H. Chesnut
Path=F:\Program Files\Mozilla Firefox;F:\Program Files\Internet Explorer;;F:\WINNT\system32;F:\WINNT;F:\WINNT\system32\WBEM
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 2, AuthenticAMD
ProgramFiles=F:\Program Files
USERNAME=Perry H. Chesnut
USERPROFILE=F:\Documents and Settings\Perry H. Chesnut

-- User Profiles ---------------------------------------------------------------

Perry H. Chesnut (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> F:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> F:\WINNT\IsUninst.exe -f"F:\Program Files\E-Color\Colorific\cfmunins.isu"
150Fonts --> F:\WINNT\150Fonts.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> F:\WINNT\ISUNINST.EXE -f"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"F:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player Plugin --> F:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> F:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE F:\WINNT\system32\Macromed\SHOCKW~1\Install.log
American Heritage« Dictionary, 4th Ed. --> "F:\AHD4WITHTHESAURUS\KaUnInsta1.exe" F:\WINNT\uninst.exe -fF:\AHD4WITHTHESAURUS\DeIsL1.isu -y
ATI Multimedia Center --> F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B7DC0CAF-0D27-4ACE-8E34-8594C8D7C1DB} /l1033
Audio Editor Pro 1.60 --> "F:\Program Files\Mightsoft\Audio Editor Pro\unins000.exe"
Comcast High-Speed Internet Install Wizard --> F:\Program Files\support.com\uninstall\chsi_uninstaller.exe
DAO --> F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Davar 2.4 --> "F:\Program Files\Davar\unins000.exe"
DiscWizard for Windows --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}\Setup.exe"
Google Toolbar for Internet Explorer --> regsvr32 /u /s "f:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iolo technologies' System Mechanic Professional 7 --> "F:\Program Files\iolo\System Mechanic Professional 7\unins000.exe"
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
JP Tanach --> F:\WINNT\iun3405.exe F:\Program Files\JP Tanach
Judaic Bookshelf --> F:\WINNT\iun506.exe F:\Program Files\Judaic Bookshelf\irunin.ini
Judaic Classics Library --> F:\WINNT\uninst.exe -f"F:\Program Files\Davka\Judaic Classics\DeIsL4.isu" -c"F:\Program Files\Davka\Judaic Classics\_ISREG32.DLL"
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB886903) --> "F:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "F:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Access 97 --> F:\Program Files\Microsoft Office\Office\Setup\AcmeAcc.exe /w Acc97.stf
Microsoft Excel 97 --> F:\Program Files\Microsoft Office\Office\Setup\AcmeXl.exe /w Excel97.stf
Microsoft Office 97 Unique Identifier Removal Tool --> RunDll32 advpack.dll,LaunchINFSection F:\WINNT\INF\propfix.inf, RemovePropFix
Microsoft Project 2000 SR-1 --> MsiExec.exe /I{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}
Microsoft Word 97 --> F:\Program Files\Microsoft Office\Office\Setup\AcmeWord.exe /w Word97.stf
Mozilla Firefox ( --> F:\Program Files\Mozilla Firefox\uninstall\helper.exe
MrSID Browser Plug-in 1.3 --> F:\WINNT\IsUninst.exe -f"F:\Program Files\LizardTech\MrSID Browser Plug-in 1.3\Uninst.isu"
Nero Media Player --> F:\WINNT\UNNMP.exe /UNINSTALL
Nero OEM --> F:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> F:\WINNT\system32\nvudisp.exe UninstallGUI
Paltalk Messenger Interop --> "F:\Program Files\Paltalk Messenger Interop\uninstall.exe"
PaltalkScene --> "F:\WINNT\Paltalk Messenger\uninstall.exe" "/U:F:\Program Files\Paltalk Messenger\irunin.xml"
Panda ActiveScan --> F:\WINNT\system32\ASUninst.exe Panda ActiveScan
QuickTime --> F:\WINNT\unvise32qt.exe F:\WINNT\system32\QuickTime\Uninstall.log
RealPlayer --> F:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic 6.0 --> "F:\Program Files\Registry Mechanic\unins000.exe"
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for DirectX 9 (KB941568) --> "F:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "F:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "F:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "F:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
SoundCheck --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{02A232A7-07E1-47B7-AA38-C34FE6E44499}\setup.exe"
SpongeBob SquarePants - The Movie --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{B98D958E-9E59-43B7-B47F-043D45D73EE6}\setup.exe" -l0x9 -uninst
Spy Sweeper --> "F:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "F:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy --> "F:\WINNT\unins000.exe"
Super Milon --> F:\WINNT\uninst.exe -f"F:\Program Files\Computronic\Super Milon\DeIsL3.isu"
Tanach Plus --> F:\WINNT\iun506.exe F:\Program Files\Tanach Plus\irunin.ini
TopStyle Lite (Version 3.0) --> F:\WINNT\unlite3.exe "F:\Program Files\Bradbury\TopStyle3"
Total Recorder 6.1 --> "F:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
Turtle Beach Santa Cruz Driver --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{A4D58580-EA01-11D3-9318-008048B86EFE}\setup.exe"
Uniblue RegistryBooster 2 --> "F:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Uniblue System Tweaker --> "F:\Program Files\Uniblue\System Tweaker\unins000.exe"
ViceVersa Pro 2 (Build 2010) --> "F:\Program Files\ViceVersa Pro 2\unins000.exe"
ViewSonic Monitor Drivers --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{48963B63-7A10-49D6-8B08-61E6132453D0}\Setup.exe" -l0x9
ViewSonic Windows 2K Signed Files --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{9183BD11-101E-11D6-B7C9-005004566E4D}\Setup.exe" -l0x9
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player system update (9 Series) --> F:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "F:\Program Files\WinZip\WINZIP32.EXE" /uninstall

-- Application Event Log -------------------------------------------------------

Event Record #/Type26690 / Warning
Event Submitted/Written: 04/18/2008 02:59:11 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type26689 / Warning
Event Submitted/Written: 04/18/2008 02:59:10 PM
Event ID/Source: 37 / WinMgmt
Event Description:
WMI ADAP was unable to load the F:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll performance library due to an unknown problem within the library: 0x0

Event Record #/Type26688 / Warning
Event Submitted/Written: 04/18/2008 02:59:09 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type26682 / Error
Event Submitted/Written: 04/18/2008 01:00:49 PM
Event ID/Source: 452 / ESENT
Event Description:
wuaueng.dll (1164) Database F:\WINNT\SoftwareDistribution\DataStore\DataStore.edb require log files 144-145, current redoing log file for this database is 145.

Event Record #/Type26681 / Warning
Event Submitted/Written: 04/18/2008 01:00:33 PM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type3465 / Error
Event Submitted/Written: 04/18/2008 11:15:47 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type3457 / Error
Event Submitted/Written: 04/18/2008 00:52:48 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Webroot Spy Sweeper Engine service failed to start due to the following error:

Event Record #/Type3454 / Error
Event Submitted/Written: 04/18/2008 00:52:40 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Webroot Spy Sweeper Engine service to connect.

Event Record #/Type3408 / Error
Event Submitted/Written: 04/17/2008 01:05:46 PM
Event ID/Source: 20 / Windows Update Agent
Event Description:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366).

Event Record #/Type3394 / Error
Event Submitted/Written: 04/17/2008 10:33:59 AM
Event ID/Source: 20 / Windows Update Agent
Event Description:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366).

-- End of Deckard's System Scanner: finished at 2008-04-18 23:53:19 ------------

BC AdBot (Login to Remove)


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 AM

Posted 30 April 2008 - 07:19 PM

Hello Dark Eagle. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :blink:
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
See you soon,
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:07 AM

Posted 01 May 2008 - 09:23 AM

Hello again, Dark Eagle

Your DNS settings indicate you have them set to the systems at OpenDNS. Did you set this yourself?

The following is referring to "Uniblue Registry Booster 2".
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

You may have a SmitFraud variant. I need to gather some more information. Please follow these instructions:
  • Please download SmitfraudFix, and save it to your desktop.
  • Double-click SmitfraudFix.exe, on your desktop.
  • Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Look here for more details.

Please reply with the SmitFraudFix log and a new DSS log

Good luck,
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users