PCAntimalware 4.1.288.0

MohavePC · June 1, 2009

Hello all:

I was on Yahoo using firefox on Friday reading my mail when all of a sudden I get the standard Rogue anti vir popup. I closed everything with alt+f4 and immediately deleted all my temp files. I proceeded to scan with Mbam and AVG.

rebooted to safe mode and did another mbam scan. found several infections. after rebooting all seems ok for about 10 minutes or so then sudenly I get the "your computer is at risk" popup from the task bar and an odd looking shield that calls itself "Windows Firewall" it wants to install "PCAntimalware 4.1.288.0" if clicked it shows an installer. if you cancel int installed about 15 to 20 fake folders and quits. nothing I have tried has worked to remove the installer. I cannot seem to find the process it is running. it does not run in safe mode so I will do a selective startup next and try to see where it's hiding.

mbam removes everything but the installer. AVG doesnt see it, nor does SpybotS&D or CCleaner. Hijackthis won't even install so I will try that in safe mode again.

mbam and HJT log below

Malwarebytes' Anti-Malware 1.37

Database version: 2198

Windows 5.1.2600 Service Pack 3

6/1/2009 12:29:34 PM

mbam-log-2009-06-01 (12-29-28).txt

Scan type: Quick Scan

Objects scanned: 90917

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 25

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> No action taken.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> No action taken.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> No action taken.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> No action taken.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> No action taken.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> No action taken.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:00:28 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\Windows Live\Mail\wlmail.exe

D:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

D:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [EasyTuneV] D:\Program Files\Gigabyte\ET5\ETcall.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [bigDog305] D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

O4 - HKLM\..\Run: [DiscWizardMonitor.exe] D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [de5cbc9e911ee0f5d665fb6f8f9b82a9.33] D:\WINDOWS\system32\rundll32.exe "D:\WINDOWS\system32\de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll", start2 aff_id=2973=wm_id=0

O4 - Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Canon iC D800 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

O4 - Global Startup: de5cbc9e911ee0f5d665fb6f8f9b82a9.33.dll.lnk = D:\WINDOWS\system32\rundll32.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1241207145515

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - D:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - D:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

--

End of file - 8862 bytes

miekiemoes · June 1, 2009

Hi,

From your log I see no action was taken. Also, I see that the cleanup script was never run either, most probably because you never rebooted, or because your teatimer blocked it, so... I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Then, rerun malwarebytes again and post the new log together with a new hijackthislog.

MohavePC · June 1, 2009

I posted the wrong log.

here is the correct mbam and hjt logs after I restarted and scanned again the same files come up as infected within 10 minutes

Malwarebytes' Anti-Malware 1.37

Database version: 2198

Windows 5.1.2600 Service Pack 3

6/1/2009 2:12:11 PM

mbam-log-2009-06-01 (14-12-11).txt

Scan type: Quick Scan

Objects scanned: 89834

Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 24

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e1fab6bd-4a34-47ce-82af-50b16a6be77e} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{5aa883db-7cfd-4737-b3c3-c671595ecce5} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f58ff278-2198-403b-9170-c95022a194c6} (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AntivirusXP (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\sysguard (Rogue.SysGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro (Rogue.DoctorAdwarePro) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\RealAV (Rogue.RealAV) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\threatwarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\antispycheck 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\asc 2.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\spywarning.warningbho.1 (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASpyC (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\antispycheck 2.1.exe (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antispycheck (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\VirRL2009 (Rogue.AntiVirusLab) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\ad-protect.EXE (Rogue.ContraVirus) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\spamdet.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Solt Lake Software (Rogue.ProAntispyware2009) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

D:\Program Files\Zango (Adware.180Solutions) -> Quarantined and deleted successfully.

D:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

d:\program files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:

d:\documents and settings\herb\local settings\application data\de5cbc9e911ee0f5d665fb6f8f9b82a9_pi.exe (Rogue.PCAntiMalware) -> Quarantined and deleted successfully.

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:30:19 PM, on 6/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\spoolsv.exe

D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

D:\Program Files\LogMeIn\x86\RaMaint.exe

D:\Program Files\LogMeIn\x86\LogMeIn.exe

D:\PROGRA~1\AVG\AVG8\avgrsx.exe

D:\PROGRA~1\AVG\AVG8\avgnsx.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\AVG\AVG8\avgemc.exe

D:\Program Files\AVG\AVG8\avgcsrvx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\RTHDCPL.EXE

D:\Program Files\LogMeIn\x86\LogMeInSystray.exe

D:\PROGRA~1\AVG\AVG8\avgtray.exe

D:\Program Files\LogMeIn\x86\LMIGuardian.exe

D:\WINDOWS\VM305_STI.EXE

D:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

D:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

D:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\WINDOWS\system32\rundll32.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5LAK.EXE

D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

D:\Program Files\Gigabyte\ET5\GUI.exe

D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM5SWK.EXE

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896