'Your're in danger' wallpaper virus

View previous topic View next topic Go down

'Your're in danger' wallpaper virus

Post by Lynden Cooper on Thu 10 Mar 2011, 5:30 am

Newbie here, hello,

I am infected by this thing. I have followed the advice on previous posts for this virus on the forum, but it blocks all of the offered downloads. Any .exe files are reported in a pop up as infected.

Lynden


Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Gabethebabe on Thu 10 Mar 2011, 8:04 am

Hi Lynden! I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end! If your computer starts running better, doesn´t mean it is clean yet!


====================

Careful now, your computer is infected with rogue software. For an explanation of this term you can consult e.g. Wikipedia. Whatever you do, do not buy a license for this program. If you already did, you have been scammed. In that case I suggest you contact your financial institution and see if you can revert the payment.

The first thing we are going to do is try and temporarily disable the rogue, to get rid of all the annoying popups and allow us to actually do something. For this we use RKill.

====================
Please download RKill by Grinler from Download Mirror #1 and save it to your desktop.
Download Mirror #1 (rkill.exe)
Download Mirror #2 (rkill.scr)
Download Mirror #3 (rkill.com)
Download Mirror #4 (WiNlOgOn.exe)
Download Mirror #5 (uSeRiNiT.exe)
Download Mirror #6 (iExplore.exe)
Download Mirror #7 (eXplorer.exe)

  • Double click the RKill desktop icon (rightclick > Run as Administrator for Vista/WIN7).
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and try using Mirror #2
  • Continue process until the tool runs.
  • Important: RKill only temporarily disables the malware. If you reboot the computer, it will be active again. So do not reboot until we kill the infection.

====================

Please download OTL by OldTimer from here and save it to your Desktop.
  • Close all windows and double click OTL.exe.
  • Copy and paste the following text into the Custom Scans/Fixes box:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys
%systemroot%\system32\drivers\*.dll
%systemroot%\system32\drivers\*.ini
%systemroot%\system32\drivers\*.exe
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.
/md5start
atapi.sys
explorer.exe
iastor.sys
userinit.exe
winlogon.exe
/md5stop
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need to use two posts to get it all.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Thu 10 Mar 2011, 8:25 am

Thankyou for the reply. I am afraid that the download mirrors don't work. Well, I can download them but I then get an Internet Explorer security warning, 'the publisher could not be verified'. I press run and I get a pop up warning 'Application cannot be executed. The file e.g. update.exe (or .scr or .com depending on the download mirror) is infected. Please activate your antivirus software'.

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Thu 10 Mar 2011, 8:24 pm

Apologies, my OS is actually XP if that makes a difference.


Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Gabethebabe on Thu 10 Mar 2011, 11:52 pm

Lynden, you have also tried the mirrors 4-7, correct? This is RKill camouflaged with a windows system filename and are the most likely to go unblocked.
It is possible though, these infections can be a real pain in the bottom.

The Internet Explorer security warning you can ignore. You are downloading safe software, trust me

The fact that we cannot get RKill to run troubles me more. Here are some tricks that might help.

  • Restart your computer and at the moment your desktop appears, doubleclick the RKill icon ASAP! The malware might not have full control yet and RKill could slip through its mazes.
  • Doubleclick the RKill icon and when the rogue pops up with its fake warning message, leave all windows open and try to run RKill again by doubleclicking again.

You may have to try multiple times with the multiple versions of RKill. We only need one successful run. If you manage that, HURRAY, run OTL as indicated in my first reply, post the log and leave your computer running (do not reboot).

====================

If really there is no way to stop the fake messages, then we have to use a method that will function for sure: a boot disk.

====================

  • You will need a blank CD to burn the boot CD
  • Download OTLPEStd.exe by OldTimer from here (a big download)
  • Double-click on OTLPEStd.exe to burn the boot CD
  • Reboot your system using the boot CD you just created. If you don´t know how to boot from CD, check out this page
  • Booting will take quite some time, so please be patient
  • Finally you should see the REATOGO-X-PE desktop. Find the OTLPE icon and double click it to run OTLPE
  • Answer Yes and OK to all prompts
  • Ensure the option Automatically Load All Remaining Users is checked
  • OTL should now start. Set the option Drivers to Non-Microsoft
  • Click Run Scan to start the scan
  • When finished, a log file C:\OTL.txt will be created
  • Please post the contents of the file in your next reply


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Fri 11 Mar 2011, 12:27 am

Hi

I'm at work away from home PC right now but have burnt a CD here and will try a reboot in 3 hours time. The RKill icon didn't show on my PC desktop.

Lynden

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Fri 11 Mar 2011, 4:19 am

Hi
Here it is...

OTL logfile created on: 10/03/2011 17:11:57 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Cooper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

639.00 Mb Total Physical Memory | 386.00 Mb Available Physical Memory | 60.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 0.48 Gb Free Space | 1.30% Space Free | Partition Type: NTFS

Computer Name: U-449253FDCD854 | User Name: Cooper | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/10 17:08:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cooper\Desktop\OTL.exe
PRC - [2010/10/03 22:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/03/10 17:08:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cooper\Desktop\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/11/05 17:53:56 | 000,327,000 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
SRV - [2010/10/03 22:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)


========== Driver Services (SafeList) ==========

DRV - [2011/02/24 18:33:45 | 000,055,224 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys -- (RapportCerberus_23945)
DRV - [2010/10/03 22:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/10/03 22:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2010/01/27 17:10:44 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2009/12/13 17:24:36 | 000,027,519 | ---- | M] (USB Corporation Reserved.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBKR100.SYS -- (USB-100)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.7
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.2


[2010/05/28 21:09:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cooper\Application Data\Mozilla\Extensions
[2010/05/28 21:09:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Cooper\Application Data\Mozilla\Extensions\home2@tomtom.com
[2010/11/19 03:16:09 | 000,000,000 | ---D | M] (No name found) -- C:\PROGRAM FILES\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2011/02/06 12:06:21 | 000,429,726 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14795 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe (Enigma Software Group USA, LLC.)
O4 - HKCU..\Run: [PnPUI Registrator] C:\Program Files\Common Files\Sitecom Shared\PnP Universal Installer\PnPUIReg.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [TomTomHOME.exe] File not found
O4 - HKCU..\RunOnce: [jHoMdFn16635] C:\Documents and Settings\All Users\Application Data\jHoMdFn16635\jHoMdFn16635.exe ()
O4 - Startup: C:\Documents and Settings\Cooper\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\Antiwpa: DllName - antiwpa.dll - C:\WINDOWS\System32\antiwpa.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Cooper\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cooper\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/13 11:57:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{91407867-6a9a-11df-89c3-001060171522}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe
O33 - MountPoints2\{fdbcfb01-e7df-11de-88e5-dba423348a54}\Shell\AutoRun\command - "" = cold\hott\sysdiag64.exe
O33 - MountPoints2\{fdbcfb01-e7df-11de-88e5-dba423348a54}\Shell\Explore\Command - "" = cold\hott\sysdiag64.exe
O33 - MountPoints2\{fdbcfb01-e7df-11de-88e5-dba423348a54}\Shell\open\command - "" = cold\hott\sysdiag64.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 17:08:01 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cooper\Desktop\OTL.exe
[2011/03/08 18:38:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cooper\Start Menu\Programs\SpyHunter
[2011/03/08 18:38:23 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2011/03/08 18:38:23 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2011/03/08 18:37:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/03/08 17:33:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/03/08 17:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/08 16:55:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\jHoMdFn16635
[2011/02/25 17:15:18 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2011/02/25 17:02:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/02/10 14:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2011/02/10 11:50:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IMSIDesign TurboCAD Deluxe 15
[2011/02/10 11:45:28 | 000,000,000 | ---D | C] -- C:\Program Files\IMSIDesign
[2011/02/10 11:45:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IMSIDesign
[2011/02/10 11:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cooper\My Documents\TurboCAD Deluxe 15
[2011/02/10 11:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cooper\Application Data\IMSIDesign
[2011/02/10 11:17:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cooper\My Documents\TurboCad_home
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/10 17:08:03 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cooper\Desktop\OTL.exe
[2011/03/10 17:05:38 | 000,000,547 | ---- | M] () -- C:\Documents and Settings\Cooper\Desktop\Shortcut to WiNlOgOn.lnk
[2011/03/10 17:01:44 | 001,006,747 | ---- | M] () -- C:\Documents and Settings\Cooper\My Documents\WiNlOgOn.exe
[2011/03/10 16:47:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/10 16:47:40 | 670,420,992 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/09 22:34:17 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/03/08 18:38:30 | 000,001,975 | ---- | M] () -- C:\Documents and Settings\Cooper\Desktop\SpyHunter.lnk
[2011/03/08 17:00:33 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Cooper\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/08 17:00:33 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Cooper\Desktop\Spybot - Search & Destroy.lnk
[2011/03/08 16:42:41 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/02/25 17:04:12 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/02/25 16:54:59 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/25 16:46:15 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/02/10 12:00:49 | 000,001,859 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboCAD Deluxe 15.lnk
[2011/02/10 11:12:59 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/09 22:49:54 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/10 17:05:38 | 000,000,547 | ---- | C] () -- C:\Documents and Settings\Cooper\Desktop\Shortcut to WiNlOgOn.lnk
[2011/03/10 17:01:40 | 001,006,747 | ---- | C] () -- C:\Documents and Settings\Cooper\My Documents\WiNlOgOn.exe
[2011/03/08 18:38:30 | 000,001,975 | ---- | C] () -- C:\Documents and Settings\Cooper\Desktop\SpyHunter.lnk
[2011/03/08 17:32:17 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/03/08 17:00:33 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Cooper\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/03/08 17:00:33 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Cooper\Desktop\Spybot - Search & Destroy.lnk
[2011/02/25 17:08:03 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/02/25 17:04:12 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/02/25 17:02:34 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/02/10 11:50:38 | 000,001,859 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboCAD Deluxe 15.lnk
[2010/11/19 08:08:21 | 000,000,118 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/04 21:23:27 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2009/12/15 14:16:46 | 000,078,336 | ---- | C] () -- C:\Documents and Settings\Cooper\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/13 17:34:17 | 000,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2009/12/13 17:34:17 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2009/12/13 17:34:16 | 000,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2009/12/13 17:34:16 | 000,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2009/12/13 17:34:16 | 000,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2009/12/13 12:11:23 | 000,060,416 | ---- | C] () -- C:\WINDOWS\System32\antiwpa.dll
[2009/12/13 12:00:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/12/13 11:54:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/12/13 11:35:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/12/13 11:34:22 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 13:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 13:00:00 | 000,314,508 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 13:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 13:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 13:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 13:00:00 | 000,040,836 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 13:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 13:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 13:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 13:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/03/21 10:41:32 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/03/21 10:41:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

< End of report >

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Fri 11 Mar 2011, 4:20 am

reated on: 10/03/2011 17:11:57 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Cooper\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

639.00 Mb Total Physical Memory | 386.00 Mb Available Physical Memory | 60.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 0.48 Gb Free Space | 1.30% Space Free | Partition Type: NTFS

Computer Name: U-449253FDCD854 | User Name: Cooper | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A5F4680-8B45-4D84-B9EE-89CFE2E40650}" = TurboCAD Deluxe 15
"{41EBC322-660F-4D16-A0DF-53147210CBDB}" = SpyHunter
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BroadJump Client Foundation" = BroadJump Client Foundation
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ie8" = Windows Internet Explorer 8
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Rapport_msi" = Rapport
"Sitecom_LN-013" = USB to fast ethernet adapter
"Spotify" = Spotify
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/07/2010 14:50:04 | Computer Name = U-449253FDCD854 | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 20/07/2010 14:57:15 | Computer Name = U-449253FDCD854 | Source = Application Hang | ID = 1002
Description = Hanging application spotify.exe, version 0.4.3.426, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 13/08/2010 04:56:59 | Computer Name = U-449253FDCD854 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 29/08/2010 15:00:14 | Computer Name = U-449253FDCD854 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0xfc458d00.

Error - 16/09/2010 12:44:42 | Computer Name = U-449253FDCD854 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 24/09/2010 10:49:39 | Computer Name = U-449253FDCD854 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x00224adf.

Error - 12/10/2010 18:00:49 | Computer Name = U-449253FDCD854 | Source = MsiInstaller | ID = 11307
Description = Product: Microsoft Office Enterprise 2007 -- Error 1307.There is not
enough disk space to install this file: C:\WINDOWS\Installer\15677d9.msp. Free
some disk space and click 'Retry', or click 'Cancel' to exit.

Error - 12/10/2010 18:04:03 | Computer Name = U-449253FDCD854 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Enterprise 2007 - Update 'Microsoft Office
2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer
can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: [You must be registered and logged in to see this link.]

Error - 17/10/2010 18:44:48 | Computer Name = U-449253FDCD854 | Source = MsiInstaller | ID = 11307
Description = Product: Microsoft Office Enterprise 2007 -- Error 1307.There is not
enough disk space to install this file: C:\Program Files\Common Files\System\ole
db\msmdlocal.dll. Free some disk space and click 'Retry', or click 'Cancel' to
exit.

Error - 17/10/2010 18:45:33 | Computer Name = U-449253FDCD854 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Enterprise 2007 - Update 'Microsoft Office
2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer
can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: [You must be registered and logged in to see this link.]

[ OSession Events ]
Error - 07/09/2010 17:06:00 | Computer Name = U-449253FDCD854 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 15149
seconds with 1440 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10/03/2011 02:59:47 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7034
Description = The SpyHunter 4 Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/03/2011 02:59:47 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7034
Description = The IMAPI CD-Burning COM Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 10/03/2011 02:59:47 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/03/2011 03:00:03 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/03/2011 03:00:18 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7034
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 3 time(s).

Error - 10/03/2011 12:48:13 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7034
Description = The SpyHunter 4 Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/03/2011 12:48:13 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7034
Description = The IMAPI CD-Burning COM Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 10/03/2011 12:48:14 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 10/03/2011 12:48:30 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Microsoft Antimalware
Service service to connect.

Error - 10/03/2011 12:48:30 | Computer Name = U-449253FDCD854 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Antimalware Service service failed to start due to the
following error: %%1053


< End of report >

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Fri 11 Mar 2011, 4:22 am

Hope those arrived OK. I'm doing this remotely via my university email and have realised the service may be at risk for 3 hours for maintenance. In anticipation, thanks for the help....

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Gabethebabe on Fri 11 Mar 2011, 6:37 pm

Hello Lynden. We have a problem. I found this line in your log:

Lynden Cooper wrote:O20 - Winlogon\Notify\Antiwpa: DllName - antiwpa.dll - C:\WINDOWS\System32\antiwpa.dll ()
You are running an illegal version of Windows XP

Antiwpa.dll circumvents Windows Activation or Validation which implies that your copy of Windows is illegal. I know that some users actually do not know their Windows copy is illegal - it is a used computer or bought from unscrupulous vendors, etc. Beside the legal and moral position, cleaning your computer could be a waste of time as further infection is highly likely, since you cannot receive and install all the Windows updates to patch the security holes, etc.

Antiwpa.dll is a prohibited software crack which is used to avoid the Windows’ copy protection. Now we at GeekPolice are facing a dilemma. We really want to help you get rid of the infection you have on your computer, because that infection was caused by cybercriminals. But by helping you, we are helping someone who himself is breaking the law (knowingly or not knowingly).

Of course this is not the first time we face this dilemma and GeekPolice has adapted the following simple policy: if you have problems with an illegal piece of software, we will not be able to help you until you have purchased a legal version of it.
Please do not take this decision personally. I will be happy to help you with any malware problems after you install a legal copy of the Windows Operating System.

There are three ways to validate your license of Windows XP:
  1. Use the Start Menu and navigate to the Activate Windows link. Through this, it will allow you to enter your product key, and to properly register Windows, so it will be licensed/genuine.
  2. Contact Microsoft for a replacement product key. You can do this by having your proof of purchase ready, and be prepared to fax the information. You can find out more information about contacting them by this link. See the section Replacement product key.
  3. Buy a new, retail version of Windows. You can either find them in home electronics in department stores or online


If you require any assistance in this process, please let us know.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Lynden Cooper on Fri 11 Mar 2011, 7:00 pm

Thanks for the help. The PC was bought new with Windows but I had an issue some years ago when we needed to re-install the OS - the supplied disk was warped. I took it to a freelance PC mender - looks like we got the illegal OS at that point.

Again, thanks,
Lynden

Lynden Cooper

Newbie Surfer
Newbie Surfer

Posts : 8
Joined : 2011-03-10
Operating System : vista

View user profile

Back to top Go down

Re: 'Your're in danger' wallpaper virus

Post by Sponsored content Today at 9:38 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum