Re: Fake Windows Security Message
 

I'm having the same issue and looking for some help too! I've downloaded Hijack this and here is the log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:01 PM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ed\Local Settings\Temp\RootkitRevealer.exe
C:\DOCUME~1\Ed\LOCALS~1\Temp\GOCKHQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_S86CC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O18 - Protocol: bw+0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {2E490EDF-B2EB-4E31-B7C4-627737E6CA50} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GOCKHQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Ed\LOCALS~1\Temp\GOCKHQ.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 17443 bytes

Re: Fake Windows Security Message
 

Hi lob777 and welcome to DaniWeb

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

• When the tool is finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log so we may continue cleaning the system.

Re: Fake Windows Security Message
 

Thanks again. This has been a great learning experience!
Combo Fix Log....

ComboFix 08-03-03.12 - Ed 2008-03-03 9:54:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.645 [GMT -7:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-01 08:21 . 2008-03-01 08:21 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Jasc
2008-02-29 17:51 . 2008-02-29 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-29 17:51 . 2008-02-29 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-29 17:41 . 2008-02-29 17:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 15:16 . 2008-02-29 15:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-29 14:27 . 2008-02-29 17:13 2,986,038 --a------ C:\WINDOWS\mywallpaper.bmp
2008-02-29 14:22 . 2008-02-29 14:22 35,840 --a------ C:\WINDOWS\sysockeu.exe
2008-02-29 14:22 . 2008-02-29 14:22 32,256 --a------ C:\WINDOWS\sysodkcs.exe
2008-02-29 14:22 . 2008-02-29 14:22 28,672 --a------ C:\WINDOWS\sysokuaw.exe
2008-02-29 14:22 . 2008-02-29 14:22 25,088 --a------ C:\WINDOWS\sysoghcx.exe
2008-02-29 14:22 . 2008-02-29 14:22 20,992 --a------ C:\WINDOWS\sysounrk.exe
2008-02-29 14:22 . 2008-02-29 14:22 3,072 --a------ C:\WINDOWS\ftebh.exe
2008-02-29 14:22 . 2008-02-29 14:22 1,855 --a------ C:\WINDOWS\config.ini
2008-02-29 14:22 . 2008-02-29 14:22 1,409 --a------ C:\WINDOWS\fbdzj.exe
2008-02-29 14:22 . 2008-02-29 14:22 1,272 --a------ C:\WINDOWS\fzmxg.dll
2008-02-27 18:19 . 2008-02-27 18:19 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\EPSON
2008-02-27 18:07 . 2008-02-27 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EPSON
2008-02-27 17:36 . 2004-08-04 07:52 413,696 -ra------ C:\WINDOWS\system32\msvc5a98.rra
2008-02-27 17:36 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-27 17:36 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-02-27 17:30 . 2006-10-20 00:10 501,912 --a------ C:\WINDOWS\system32\PICSDK2.dll
2008-02-27 17:30 . 2006-10-20 00:10 108,704 --a------ C:\WINDOWS\system32\PICEntry.dll
2008-02-27 17:30 . 2004-03-03 06:10 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-02-27 17:30 . 2004-03-03 06:10 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-02-27 17:29 . 2007-04-18 00:00 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2008-02-27 17:28 . 2008-02-27 17:41 44 --a------ C:\WINDOWS\EPSCX9400Fax.ini
2008-02-27 17:20 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-27 17:20 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-13 07:21 . 2008-03-03 09:43 <DIR> d-------- C:\Program Files\Norton Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 01:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 21:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 00:36 --------- d-----w C:\Documents and Settings\Ed\Application Data\Arcsoft
2008-02-28 00:29 --------- d-----w C:\Program Files\EPSON
2008-02-23 00:52 --------- d-----w C:\Program Files\Norton SystemWorks
2008-02-10 22:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 22:24 --------- d-----w C:\Program Files\ESET
2008-01-17 19:02 --------- d-----w C:\Program Files\QuickTime
2008-01-17 19:02 --------- d-----w C:\Program Files\iTunes
2008-01-17 19:02 --------- d-----w C:\Program Files\iPod
2008-01-17 19:02 --------- d-----w C:\Program Files\Bonjour
2008-01-17 19:02 --------- d-----w C:\Documents and Settings\Ed\Application Data\Apple Computer
2008-01-17 19:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2008-01-17 19:01 --------- d-----w C:\Program Files\Apple Software Update
2008-01-17 19:00 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-17 19:00 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-01-17 18:52 --------- d-----w C:\Program Files\Open Adder
2008-01-09 19:56 --------- d-----w C:\Program Files\Citrix
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-09-27 23:31 32 -csha-w C:\WINDOWS\{2402F6FA-B55A-4322-9C7A-22B90439B33A}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{886CE030-F1F4-4E8F-B6F4-5E0864E281E0}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\{A65C159F-B8B0-4222-85F2-3A75BEF846EA}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{AD85BC0C-D50E-425A-96B9-D9064C10FA60}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{E6E97AA3-4CB5-48DA-9A2F-24D44D518638}.dat
2005-09-27 23:31 32 --sha-w C:\WINDOWS\{FB244F26-865A-4888-A942-EFA3D102A57D}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{0176C14B-67FE-416E-969E-C7FA1127ED95}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{09891033-11B9-4313-9588-9FFE71AC2E03}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{0F642CB5-9BB5-4B73-8F93-269FDAB42BE2}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{0FDC3861-0CF6-4DD8-8AAF-BF710D1B311A}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{5FD683FA-27CF-4F64-BC72-3CFD1BD2979D}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{6D393FED-256E-44C0-8B4B-73A03B40A5D9}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX9400Fax Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.exe" [2007-03-23 06:00 182272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2005-09-28 09:20 917504]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-02-15 23:02 503808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 13:27:34 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a--c--- 2004-08-16 16:45 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
--a--c--- 2004-06-23 19:28 7932416 C:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a--c--- 2004-08-18 11:47 1249280 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
--a--c--- 2005-03-09 04:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-09-29 22:35 4603904 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-09-29 22:35 86016 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2004-09-29 22:35 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v2]
--a------ 2006-01-25 12:55 495616 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
--a------ 2002-08-13 17:00 32768 C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-02-26 16:50 253952 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-02-27 04:36 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-02-27 05:31 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 05:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-08-11 14:27]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S4 GOCKHQ;GOCKHQ;C:\DOCUME~1\Ed\LOCALS~1\Temp\GOCKHQ.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\EPSETUP.EXE

*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 09:55:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-03 9:56:24
ComboFix-quarantined-files.txt 2008-03-03 16:56:15
ComboFix2.txt 2008-03-03 15:27:28
.
2008-03-02 10:00:33 --- E O F ---







HJT Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:18 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_S86CC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 3879 bytes

Re: Fake Windows Security Message
 

Hi lob777

Scan with HijackThis and put a check next to following entry (If it still exists)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =


Remember to close all other windows and click Fix Checked

----------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe

Attachment 5301

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u4.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• In the pull down menu next to Platform select Windows
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

----------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

----------------------------
Required Logs

C:\ComboFix.txt
Kaspersky report
new HijackThis log << taken after the online scan


Please also provide an update on system behaviour

Re: Fake Windows Security Message
 

Hi MoralTerror, thank you so much for everything you've been doing to help me with this problem...it is so much appreciated!

Here are the most current system logs...
__________________________________________________________
ComboFix
____________

ComboFix 08-03-03.12 - Ed 2008-03-04 15:35:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.555 [GMT -7:00]
Running from: C:\Documents and Settings\Ed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ed\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\fbdzj.exe
C:\WINDOWS\ftebh.exe
C:\WINDOWS\fzmxg.dll
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\sysounrk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_GOCKHQ
-------\GOCKHQ


((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-01 08:21 . 2008-03-01 08:21 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\Jasc
2008-02-29 17:51 . 2008-02-29 17:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-29 17:51 . 2008-02-29 18:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-29 17:41 . 2008-02-29 17:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 15:16 . 2008-02-29 15:28 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-29 14:27 . 2008-02-29 17:13 2,986,038 --a------ C:\WINDOWS\mywallpaper.bmp
2008-02-29 14:22 . 2008-02-29 14:22 1,855 --a------ C:\WINDOWS\config.ini
2008-02-27 18:19 . 2008-02-27 18:19 <DIR> d-------- C:\Documents and Settings\Ed\Application Data\EPSON
2008-02-27 18:07 . 2008-02-27 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EPSON
2008-02-27 17:36 . 2004-08-04 07:52 413,696 -ra------ C:\WINDOWS\system32\msvc5a98.rra
2008-02-27 17:36 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-02-27 17:36 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys
2008-02-27 17:30 . 2006-10-20 00:10 501,912 --a------ C:\WINDOWS\system32\PICSDK2.dll
2008-02-27 17:30 . 2006-10-20 00:10 108,704 --a------ C:\WINDOWS\system32\PICEntry.dll
2008-02-27 17:30 . 2004-03-03 06:10 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-02-27 17:30 . 2004-03-03 06:10 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-02-27 17:29 . 2007-04-18 00:00 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2008-02-27 17:28 . 2008-02-27 17:41 44 --a------ C:\WINDOWS\EPSCX9400Fax.ini
2008-02-27 17:20 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-27 17:20 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-13 07:21 . 2008-03-03 09:43 <DIR> d-------- C:\Program Files\Norton Security Scan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 01:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 21:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 00:36 --------- d-----w C:\Documents and Settings\Ed\Application Data\Arcsoft
2008-02-28 00:29 --------- d-----w C:\Program Files\EPSON
2008-02-23 00:52 --------- d-----w C:\Program Files\Norton SystemWorks
2008-02-10 22:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 22:24 --------- d-----w C:\Program Files\ESET
2008-01-17 19:02 --------- d-----w C:\Program Files\QuickTime
2008-01-17 19:02 --------- d-----w C:\Program Files\iTunes
2008-01-17 19:02 --------- d-----w C:\Program Files\iPod
2008-01-17 19:02 --------- d-----w C:\Program Files\Bonjour
2008-01-17 19:02 --------- d-----w C:\Documents and Settings\Ed\Application Data\Apple Computer
2008-01-17 19:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2008-01-17 19:01 --------- d-----w C:\Program Files\Apple Software Update
2008-01-17 19:00 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-17 19:00 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-01-17 18:52 --------- d-----w C:\Program Files\Open Adder
2008-01-09 19:56 --------- d-----w C:\Program Files\Citrix
2005-09-27 23:31 32 -csha-w C:\WINDOWS\{2402F6FA-B55A-4322-9C7A-22B90439B33A}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{886CE030-F1F4-4E8F-B6F4-5E0864E281E0}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\{A65C159F-B8B0-4222-85F2-3A75BEF846EA}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{AD85BC0C-D50E-425A-96B9-D9064C10FA60}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\{E6E97AA3-4CB5-48DA-9A2F-24D44D518638}.dat
2005-09-27 23:31 32 --sha-w C:\WINDOWS\{FB244F26-865A-4888-A942-EFA3D102A57D}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{0176C14B-67FE-416E-969E-C7FA1127ED95}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{09891033-11B9-4313-9588-9FFE71AC2E03}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{0F642CB5-9BB5-4B73-8F93-269FDAB42BE2}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{0FDC3861-0CF6-4DD8-8AAF-BF710D1B311A}.dat
2005-09-27 23:30 32 -csha-w C:\WINDOWS\system32\{5FD683FA-27CF-4F64-BC72-3CFD1BD2979D}.dat
2005-09-27 23:31 32 -csha-w C:\WINDOWS\system32\{6D393FED-256E-44C0-8B4B-73A03B40A5D9}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX9400Fax Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.exe" [2007-03-23 06:00 182272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2005-09-28 09:20 917504]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"pdfFactory Dispatcher v3"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-02-15 23:02 503808]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 13:27:34 471040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a--c--- 2004-08-16 16:45 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
--a--c--- 2004-06-23 19:28 7932416 C:\Program Files\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a--c--- 2004-08-18 11:47 1249280 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
--a--c--- 2005-03-09 04:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-09-29 22:35 4603904 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-09-29 22:35 86016 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2004-09-29 22:35 921600 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v2]
--a------ 2006-01-25 12:55 495616 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
--a------ 2002-08-13 17:00 32768 C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-02-26 16:50 253952 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-02-27 04:36 757760 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-02-27 05:31 69632 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2004-01-15 05:33 49152 C:\WINDOWS\system32\VTTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-08-11 14:27]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\EPSETUP.EXE

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 15:37:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-04 15:38:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 22:38:54
ComboFix2.txt 2008-03-03 16:56:24
ComboFix3.txt 2008-03-03 15:27:28
.
2008-03-02 10:00:33 --- E O F ---




____________________________________________
Kaspersky Report
____________________________________________

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 04, 2008 8:27:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/03/2008
Kaspersky Anti-Virus database records: 597127
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 53587
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:50:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\MSHist012008030420080305\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF9727.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF973B.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D174C0F6-AD87-481D-8389-EFE40E4B7080}\RP797\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


____________________________________________
HiJackThis Log
_________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:39 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFA.EXE /FU "C:\WINDOWS\TEMP\E_S86CC.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--
End of file - 4410 bytes
_________________________________________________________

Updated system behavior....
the wallpaper and the spyware alert are both gone. As far as everything else goes, the system appears to be working perfectly fine.

thanks again and again!!!

Re: Fake Windows Security Message
 

Hi lob777

You're very welcome. Your logs are clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. UNINSTALL COMBOFIX
   This process will also perform some final cleanup steps
   Click Start > Run and type ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
4. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
5. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
6. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

If there are no more issues please mark this thread as resolved.