Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"warning Spyware On Your Computer"


  • Please log in to reply
22 replies to this topic

#1 Tom22

Tom22

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 29 June 2008 - 03:49 PM

Hello, I am moving to this forum per Boopme's suggestion.
(Hi Tom Isaw some things in that Log that need to be dealt with by the HJT team.
I am deletimg that log as they aren't to be posted here . Follow these instructions and come back to this thread to tell us you have posted the HJT log. So we can close this one,thanks.
Boopme)

Problem started with desktop "AntiVirusXP2008" and a very slow computer. I used Spybot to fix the desktop problem and 27 other problems. After this, the computer was still slow. Also a new text box was on the desktop saying "Warning! Spyware detected on your computer" complete with a "Buy" button. After many hours of work I found this web site with a recommendation to buy STOPzilla. STOPzilla removed the desktop problem and 57 other problems but did not fix the slow computer and other problems. My task Manager shows numerous process running many of which appear bogas. Also, a new pop up occurs occasionally that says "Warning! You have 5407 critical objects on your computer" with the usual "Buy Now" button. A second STOPzilla scan identified 14 more problems. The new infection names are Malware Protector, Secure Desktop Hijacker, Sweg, Winds32, Core and Virus Alert. After removing these, the computer is still extremely slow and it still has the "Warning" popup. A third scam with STOPzilla resulted in the removal of a Vundo Trojan and the Agent.BQ virus. Here is my HijackThis File. Help is appreciated. Tom22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:47:08, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NA1Messenger] "C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [SpywareBot] "C:\Program Files\Spybot\SpywareBot\SpywareBot.exe" -boot
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/intl/en_ALL/images/logo.gif

--
End of file - 4597 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 29 June 2008 - 09:45 PM

Hello Tom22,

Via Add/Remove Programs, please uninstall SpywareBot

http://www.fbmsoftware.com/spyware-net/App...ion/SpywareBot/
SpywareBot

Description of SpywareBot:
SpywareBot is a suspect anti-spyware application that deceptively leverages the Spybot Search and Destroy name, and provides users no End User License Agreement.

Recommendation for SpywareBot :
It is recommended that you remove this software from your computer to secure your system from suspected applications that might threaten system security.

Reboot afterward.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKCU\..\Run: [SpywareBot] "C:\Program Files\Spybot\SpywareBot\SpywareBot.exe" -boot


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following folder:

C:\Program Files\Spybot\SpywareBot

Download CWSshredder http://us.trendmicro.com/us/products/perso...dder/index.html. Close every window and disconnect from Internet. Double click the CWSshredder icon on your Desktop.
Click Fix, ok and then Next, let it fix everything it asks about.

Did you set this 024 yourself? O24 - Desktop Component 0: (no name) - http://www.google.com/intl/en_ALL/images/logo.gif

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.bleepingcomputer.com/malwa...mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 30 June 2008 - 11:39 AM

Hi tea,

Here are my actions and the results:
1. My Add/Remove Programs does not show SpyBot installed.
2. Used HijackThis to remove the seven files.
3. Spybot was removed from Program Files folder earlier.
4. Downloaded CWSshredder & run... "CoolWebSearch was not found on this system"
5. I did not set 024
6. Downloaded mbam-set to desktop and installed mbam.exe. It updated and opened program
7. I did a quick scam and after 2616 objects, an error report popped up saying "Dr Watcon Postmortem Debugger has
encountered a problem and needs to close.
8. mbam was locked up and I had to hit "X" and "End Now"
This is what happened a few days ago when "boopme" was helping me at the other forum.
9. Below is the latest HijackThis.

Tom22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:52, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\drwtsn32.exe
C:\WINNT\system32\drwtsn32.exe
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NA1Messenger] "C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/intl/en_ALL/images/logo.gif

--
End of file - 3961 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 30 June 2008 - 10:34 PM

Hello,

1. My Add/Remove Programs does not show SpyBot installed.

I didn't ask you to look for Spybot. I asked you to look for SpywareBot.

So it wants to be a wise guy huh? :thumbsup: Let's see if we can give a good smack :

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :) After ComboFix has completed you can reenable them all, then come back online to post the reports. Thanks!

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 01 July 2008 - 07:55 AM

tea,

Two pop ups occurred while Combo was "preparing the log"
The first one said "Data Execution Prevention Microsoft Windows - To protect your computer, windows has closed this program - Generic Host Process for Win32 Services"
The second one said "Generic Host Process for Win32 services has encountered a problem and needs to close" I hit "Don't Send"

Regardless, the Combo fix continued and here is the log and also the HijackThis log.

Tom22



ComboFix 08-06-20.4 - Owner 2008-07-01 8:21:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\1031479219.exe
C:\Documents and Settings\LocalService\Application Data\1091972638.exe
C:\Documents and Settings\LocalService\Application Data\1361145417.exe
C:\Documents and Settings\LocalService\Application Data\917701779.exe
C:\Documents and Settings\LocalService\Application Data\971313497.exe
C:\WINNT\promo1.html
C:\WINNT\promo2.html
C:\WINNT\promo3.html
C:\WINNT\promo4.html
C:\WINNT\promo5.html
C:\WINNT\promo6.html
C:\WINNT\promogif1.gif
C:\WINNT\promogif2.gif
C:\WINNT\promogif3.gif
C:\WINNT\system32\drivers\Wrx50.sys
C:\WINNT\system32\sn.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WRX50
-------\Service_Wrx50


((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-29 17:02 . 2008-06-29 17:05 692 --a------ C:\WINNT\hpntwksetup.ini
2008-06-29 10:59 . 2008-06-30 19:09 34,296 --ah----- C:\WINNT\system32\drivers\mbamcatchme.sys.szcpf
2008-06-29 10:56 . 2008-06-29 11:09 <DIR> d-------- C:\fixwareout
2008-06-29 08:26 . 2008-06-30 19:46 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 08:26 . 2008-06-29 08:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-29 08:26 . 2008-06-29 08:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 10:04 . 2008-06-28 10:04 388 --a------ C:\WINNT\system32\QuickTime.qtp
2008-06-28 09:28 . 2008-06-28 09:28 <DIR> d-------- C:\Program Files\UPS
2008-06-27 20:51 . 2008-06-27 20:51 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-27 20:51 . 2008-06-27 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-27 20:35 . 2004-04-12 07:10 90,112 -ra------ C:\WINNT\system32\hpovst08.dll
2008-06-27 20:35 . 2001-08-17 13:53 6,784 --a------ C:\WINNT\system32\drivers\serscan.sys
2008-06-27 20:35 . 2001-08-17 13:53 6,784 --a------ C:\WINNT\system32\dllcache\serscan.sys
2008-06-27 20:34 . 2004-02-05 17:23 212,992 -ra------ C:\WINNT\system32\hptcpmui.dll
2008-06-27 20:34 . 2004-02-05 20:42 110,592 -ra------ C:\WINNT\system32\hptcpmon.dll
2008-06-27 20:34 . 2004-02-05 17:24 98,304 -ra------ C:\WINNT\system32\hpzjsn01.dll
2008-06-27 20:34 . 2004-02-05 20:42 73,728 -ra------ C:\WINNT\system32\hptcpmib.dll
2008-06-27 20:34 . 2004-04-25 19:56 49,152 -ra------ C:\WINNT\system32\hpzjrd01.dll
2008-06-27 20:34 . 2004-02-05 17:24 28,672 -ra------ C:\WINNT\system32\hpzjfw01.dll
2008-06-27 20:34 . 2004-02-05 17:30 9,864 -ra------ C:\WINNT\system32\hptcpmui.hlp
2008-06-27 20:34 . 2004-02-05 17:30 9,820 -ra------ C:\WINNT\system32\hpipxmui.hlp
2008-06-27 20:34 . 2004-02-03 15:07 3,567 -ra------ C:\WINNT\system32\hptcpmon.ini
2008-06-27 20:34 . 2008-06-29 17:05 279 --a------ C:\WINNT\system32\AddPort.ini
2008-06-27 20:23 . 2008-06-27 21:13 104,268 --------- C:\WINNT\hpoins04.dat
2008-06-27 20:23 . 2004-06-21 06:14 17,176 --------- C:\WINNT\hpomdl04.dat
2008-06-27 19:42 . 2008-07-01 08:29 35,064 --a------ C:\WINNT\system32\drivers\kgpcpy.cfg
2008-06-27 19:40 . 2008-07-01 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-27 19:38 . 2008-06-27 19:38 <DIR> d-------- C:\Program Files\STOPzilla!
2008-06-27 19:38 . 2008-06-27 19:38 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-27 19:38 . 2008-07-01 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-26 16:59 . 2008-06-28 22:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-06-26 14:34 . 2008-06-26 14:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\rhcg8kj0e9de
2008-06-26 11:43 . 2008-06-26 11:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-26 10:14 . 2008-06-27 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-26 00:27 . 2008-06-27 09:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 18:29 . 2008-06-25 18:29 126,464 --a------ C:\WINNT\system32\drivers\Saxx60.sys
2008-06-25 18:20 . 2008-06-25 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nikon
2008-06-25 10:00 . 2008-06-25 10:00 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\rhcg8kj0e9de
2008-06-25 09:59 . 2008-06-25 09:59 126,464 --a------ C:\WINNT\system32\drivers\Qqdn48.sys
2008-06-25 09:59 . 2008-06-25 09:59 109,056 --a------ C:\WINNT\system32\lphcl8kj0e9de.exe
2008-06-20 08:49 . 2008-06-25 18:29 126,464 --a------ C:\WINNT\system32\drivers\mickey32.sys
2008-06-20 08:47 . 2008-06-20 08:47 126,464 --a------ C:\WINNT\system32\drivers\Nrc38.sys
2008-06-12 15:09 . 2008-06-12 15:09 258,048 -ra------ C:\WINNT\system32\SZBase5.dll
2008-06-12 15:08 . 2008-06-12 15:08 401,408 -ra------ C:\WINNT\system32\SZComp5.dll
2008-06-12 10:11 . 2008-06-12 10:11 364,544 -ra------ C:\WINNT\system32\IS3DBA5.dll
2008-06-12 10:11 . 2008-06-12 10:11 126,976 -ra------ C:\WINNT\system32\IS3HTUI5.dll
2008-06-12 10:10 . 2008-06-12 10:10 372,736 -ra------ C:\WINNT\system32\IS3UI5.dll
2008-06-12 10:10 . 2008-06-12 10:10 61,440 -ra------ C:\WINNT\system32\IS3Hks5.dll
2008-06-12 10:10 . 2008-06-12 10:10 23,040 -ra------ C:\WINNT\system32\IS3XDat5.dll
2008-06-12 10:09 . 2008-06-12 10:09 196,608 -ra------ C:\WINNT\system32\IS3Win325.dll
2008-06-12 10:08 . 2008-06-12 10:08 94,208 -ra------ C:\WINNT\system32\IS3Inet5.dll
2008-06-12 10:08 . 2008-06-12 10:08 90,112 -ra------ C:\WINNT\system32\IS3Svc5.dll
2008-06-12 10:05 . 2008-06-12 10:05 708,608 -ra------ C:\WINNT\system32\IS3Base5.dll
2008-06-11 08:59 . 2008-06-13 09:10 272,128 --------- C:\WINNT\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 15:58 --------- d-----w C:\Program Files\HP
2008-06-28 13:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 12:54 --------- d-----w C:\Program Files\Matilda
2008-06-26 18:36 --------- d-----w C:\Program Files\Common Files\aolshare
2008-06-26 15:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\SpywareBot
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2008-05-27 18:47 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-05-22 16:27 --------- d-----w C:\Program Files\Common Files\Sagekey Software
2008-05-22 16:25 --------- d-----w C:\Program Files\Microsoft Access Runtime
2008-05-21 15:38 65,568 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-13 14:03 34,432 ----a-r C:\WINNT\system32\drivers\SZKG.sys
2008-05-08 12:28 202,752 ------w C:\WINNT\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 08:39 98304]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21 28672]
"NA1Messenger"="C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe" [2007-12-13 16:53 20480]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"UserFaultCheck"="C:\WINNT\system32\dumprep 0 -u" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-11-03 08:39:48 118784]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]
UPS WorldShip Messaging Utility.lnk - C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe [2007-12-13 16:55:54 65536]
UPS WorldShip PLD Reminder Utility.lnk - C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\wstdPldReminder.exe [2007-12-12 22:05:04 31744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 szkg5;szkg;C:\WINNT\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;"C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe" -sUPSWSDBSERVER []
S3 brfilt;Brother MFC Filter Driver;C:\WINNT\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINNT\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINNT\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother Serial driver;C:\WINNT\system32\Drivers\BrSerWdm.sys [2001-08-17 14:12]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINNT\system32\drivers\mbamcatchme.sys []
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;"C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE" -i UPSWSDBSERVER []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad1b2298-4396-11dd-a15d-e11158af8cdd}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2003-09-05 15:51:30 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-09-15 17:45:00 C:\WINNT\Tasks\ISP signup reminder 2.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2003-09-05 15:51:31 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2008-06-29 15:27:33 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\Spybot\SpywareBot\SpywareBot.ex
- C:\Program Files\Spybot\SpywareBot
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 08:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-07-01 8:45:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 12:44:42

Pre-Run: 28,173,701,120 bytes free
Post-Run: 28,201,480,192 bytes free

171 --- E O F --- 2008-06-23 13:41:01











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:49:04, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NA1Messenger] "C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\Documents and Settings\Owner\Desktop\New Folder\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://www.google.com/intl/en_ALL/images/logo.gif

--
End of file - 4244 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 01 July 2008 - 09:46 PM

Hello,

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O24 - Desktop Component 0: (no name) - http://www.google.com/intl/en_ALL/images/logo.gif


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer. How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 02 July 2008 - 06:32 AM

Hi tea,

I removed the "google" command from the web tab but there was no "my current home page" or any other lines.

The 04 and 024 lines were not present in the registry.

What are the six antispyware ".dll's"? just wondering?

The computer boots normally and is much faster (probably normal). The only problems that I see now, are:

1. The pop up "Generic Host Process for win services has encounter a problem and needs to shut down". this popped up three times while I was performing your suggeted tasks.

2. The popup "Data execution prevention Microsoft Windows - To protect your computer has closed this program". This has popped up once since I re-booted.

3. When opening some folders such as "My Computer" and "Control Panel" the flashlight "looking" appears and it takes a long time to open.

The hijackthis scan is shown below.

I will be away from this computer until Monday July 7th. Look forward to you response then. Thanks for your help and have a good holiday weekend.

Tom22








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:13:49, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe
C:\WINNT\system32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 2965 bytes

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 03 July 2008 - 11:54 AM

Hello,

No worries on those .dlls. They're part of Stopzilla : http://www.castlecops.com/lsp-358.html

Please try to run MBAM again, and post the report if you get it to run. If it won't, then please do this instead:

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
You have a great weekend too. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 07 July 2008 - 03:41 PM

Hi tea,

I ran mbam setup again and did a quick scan. This time it worked and it found 31 infected objects. I removed them and lost the log when rebooting the computer. I ran it again and it found no infections. The log is shown below. It looks like the only problem left is the microsoft pop ups that I mentioned in the last feedback. They occurred again on the last boot up.

Tom22




alwarebytes' Anti-Malware 1.19
Database version: 930
Windows 5.1.2600 Service Pack 2

4:28:12 PM 7/7/2008
mbam-log-7-7-2008 (16-28-12).txt

Scan type: Quick Scan
Objects scanned: 40805
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 07 July 2008 - 07:10 PM

Hello,

Are you totally up to date on your Windows updates?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 08 July 2008 - 08:43 AM

Hi tea,

I just updated windows and installed service pack 3. Toward the end of a boot up, I still get the windows error pop up "Generic Host Process for Win32 Services has encounterd a problem and needs to close..."
The error signature is:
szAppName: svchost.exe, szAppVer: 5.1.2600.5512, szModname: unknown, szModVer: 0.0.0.0, Offset: 00e22bcc.
The error report content is:
C:\DOCUM~1\Owner\Locals~1\Temp\Werdeaf.dir00\svhost.exe.mdmp
C:\DOCUM~1\Owner\Locals~1\Temp\Werdeaf.dir00\appcompat.txt

When I hit the "Don't Send" button, it goes to the desktop and everything seems to then work OK.

Tom22

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 08 July 2008 - 09:26 PM

Hello,

Try this :

Please download and apply the following MS Security Update. Just click download :thumbsup:
http://www.microsoft.com/downloads/details...;displaylang=en

Restart your computer and let me know if it helped.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 10 July 2008 - 08:24 AM

Hi tea,

I tried to download the file but got the following message: "Service Pack Version of this system is newer than the update you are applying. There is no need to install this update."

Of course the problem still exists but I also notice that anytime I try to open a folder, it takes a long time to open. Even just listing the hard disk directory with the explorer is very slow. It appears to be looking for something and can't find it. This must be related to the pop up that occurs when I boot up that says "Generic Host process for Win32 is being closed".

Tom22







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:14:50, on 7/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\NEW FOLDER\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\New Folder\UPS\WSTD\WSTDMessaging.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HijackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [NA1Messenger] C:\NEW FOLDER\UPS\WSTD\UPSNA1Msgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\New Folder\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\New Folder\UPS\WSTD\wstdPldReminder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 3865 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:55 PM

Posted 10 July 2008 - 12:33 PM

Hi there,

Uninstall STOPzilla, reboot your computer, and see if you still get the message.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Tom22

Tom22
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 11 July 2008 - 03:26 PM

Hi tea,

After removing StopZilla, the pop up's appear to be gone. Everything else looks OK except the CPU sometimes is busy for no reason. For example, if I click the arrow in an address box to make a selection, it may take 3-4 minutes to display the list. This happens with an internet address, while in MSWord or any activity where I am trying to list options. When this happens, I can load the task manager and see that the cpu is at 100% usage. When it drops to near zero, I can then go back and the "address box" works OK. Something is causing the CPU to run to 100% any time I try to select something from an address box. I can load items from icons or go to a web site by type in a name in the address box and the delay does not occur. It only occurs when I am trying to pull down a list from the arrow in the address box.

Tom22




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users