Trojan-spy.win32@mx, Trojan-vundo, Malware, Spyware

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Trojan-spy.win32@mx, Trojan-vundo, Malware, Spyware, Need much needed help in removing this, please.

Options

MonicaNicole View Member Profile	Nov 13 2007, 12:41 AM Post #1
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	I have gone through all the steps that you have recommended. The virus and spyware are still infecting the computer, I thought they had been removed but, they have come back in full force. I have pop ups, false system warnings, lock ups, slow browser. I also noticed on IE that a new toolbar has installed itself, security toolbar 7.1, I have no idea where that came from. It would be much appreciated if someone could please help me! Here is the hijackthis log file. Thank You. Monica Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:17:47 PM, on 11/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\dpcrkqhi.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [407df185] rundll32.exe "C:\WINDOWS\system32\leebrosf.dll",b O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O15 - Trusted Zone: .doginhispen.com O15 - Trusted Zone: .whataboutadog.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7640 bytes This post has been edited by MonicaNicole: Nov 13 2007, 12:47 AM

lusitano View Member Profile	Nov 13 2007, 05:33 AM Post #2
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hi, Wellcome to Bleeping Computer Forums! You might want to save this page on your favorites, so you can find it again when you return. Please take note of the following: I will be handling your log and helping you, please do not make any system changes yet. The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience. The fixes are specific to your problem and should only be used for this issue on this machine If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes. Please reply to this thread. Do not start a new topic. Please give me some time to look over your log and I will get back to you as soon as possible. -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

lusitano View Member Profile	Nov 13 2007, 07:53 AM Post #3
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello , You have your protection program running on your computer, which is good but they may interfere with the fixes we need to make, so it's better to disable them for the moment. You may re-enable them again once you're clean; I will let you know. 1. To disable SPYBOT TEATIMER: * Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected. * On the left hand side, click on Tools, then click on the Resident Icon in the list. * Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. * Click on the "System Startup" icon in the List * Uncheck the "TeaTimer" box and "OK" any prompts. * If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted. * Exit Spybot S&D when done. * (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.] Also, for the steps with combofix tool, you may have to disable more softwares. Please careful with that and follow ALL the instrucions bellow. 2. Download ComboFix from Here or Here to your Desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall 3. Click HERE to download FindAWF.exe and save it to your desktop. Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu. Type 1, then press Enter. FindAWF tool will begin scanning. It may take a few minutes to complete so be patient. When the scan is finished, a text file in notepad called AWF.txt will automatically open. Return to this thread and copy and paste the contents of the AWF.txt file in your next reply. 4. In your next reply, please post: * New HijackThis log * Combofix results * AWF results Regards -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

lusitano View Member Profile	Nov 17 2007, 06:58 AM Post #5
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hi and thanks for your patience! Please right click on the attachment CFScript.txt(see at end of my post), and from the menu choose Save Target As, save them to your desktop with the name: CFScript.txt Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog. When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file, along with a new HijackThis log. Attached File(s) CFScript.txt ( 1.45k ) Number of downloads: 12 -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

MonicaNicole View Member Profile	Nov 17 2007, 06:01 PM Post #6
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	Hello, I was beginning to think you had forgotten about me. Thank you so much for helping me. I really appreciate it! Just a small update on how things are running. I did run a couple of more scans recently and have managed to stop the yellow triangle, pop ups, system warnings, and the security 7.1 toolbar, but I know that I must still be infected because that's just to good to be true. The only thing that had remained was doginhispen and weatherbug in my logs and the 2 new icons "Live Safety Center" and "Online Security Guide", which have now come off with this last combofix run. I'll be anticipating your next reply, I can't wait to have my computer back. Here are the logs, I hope I did this right. ComboFix Log ComboFix 07-11-08.1 - Nikki 2007-11-17 14:37:27.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.157 [GMT -8:00] Running from: C:\Documents and Settings\Nikki\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Nikki\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\ddaby.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk C:\Documents and Settings\Nikki\Desktop\Live Safety Center.lnk C:\Documents and Settings\Nikki\Desktop\Online Security Guide.lnk C:\Documents and Settings\Nikki\Favorites\Online Security Guide.lnk C:\WINDOWS\SYSTEM32\atrtjnhv.dll C:\WINDOWS\SYSTEM32\ieaqlgay.dll C:\WINDOWS\SYSTEM32\leebrosf.dll C:\WINDOWS\SYSTEM32\llqxnsbf.dll C:\WINDOWS\SYSTEM32\npsbqepw.dll C:\WINDOWS\SYSTEM32\quspqthq.dll C:\WINDOWS\SYSTEM32\yfpvoebn.dll . ((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 ))))))))))))))))))))))))))))))) . 2007-11-15 21:54 <DIR> d-------- C:\Deckard 2007-11-15 20:31 73 --a------ C:\WINDOWS\SYSTEM32\pfdnnt_actions.sys 2007-11-15 19:29 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-13 11:24 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-12 21:14 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-12 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx 2007-11-12 21:04 <DIR> d-------- C:\Temp 2007-11-12 21:04 1,563,704 --a------ C:\Program Files\PREVXCSIFREE.EXE 2007-11-11 23:10 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys 2007-11-11 23:10 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys 2007-11-11 23:10 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys 2007-11-11 23:10 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys 2007-11-11 23:10 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys 2007-11-11 23:10 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys 2007-11-11 23:09 <DIR> d-------- C:\Program Files\Sygate 2007-11-11 23:09 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll 2007-11-11 21:46 1,953,799 --a------ C:\Program Files\stinger.exe 2007-11-11 21:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-11-11 17:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-11-11 16:28 7,467,056 --a------ C:\Program Files\spybotsd15.exe 2007-11-11 14:00 <DIR> d-------- C:\Program Files\Lavasoft 2007-11-11 14:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-11-11 13:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-11-11 13:57 21,216,112 --a------ C:\Program Files\aaw2007.exe 2007-11-11 08:14 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys 2007-11-10 22:37 <DIR> d-------- C:\Documents and Settings\Nikki\.housecall6.6 2007-11-09 15:17 <DIR> d-------- C:\Program Files\Windows Defender 2007-11-07 21:51 8,987,768 --a------ C:\Program Files\Windows-KB890830-x64-V1.34.exe 2007-11-07 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-11-03 17:44 <DIR> d-------- C:\Documents and Settings\Nikki\Application Data\PlayFirst 2007-11-03 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia 2007-11-03 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst 2007-11-03 17:40 <DIR> d-------- C:\Program Files\Yahoo! Games 2007-10-31 09:29 <DIR> d-------- C:\Program Files\AOL 9.0 2007-10-30 19:55 625,032 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll 2007-10-30 19:55 242,056 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll 2007-10-30 19:55 191,536 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys 2007-10-30 19:55 145,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys 2007-10-30 19:55 39,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys 2007-10-30 19:55 37,936 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndisv.sys 2007-10-30 19:55 35,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys 2007-10-30 19:55 27,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys 2007-10-30 19:55 12,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys 2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2007-10-18 17:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-17 22:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-17 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-11-16 23:26 --------- d-----w C:\Program Files\Norton Internet Security 2007-11-13 04:27 17 ----a-w C:\Program Files\stinger.opt 2007-11-12 07:07 5,659,648 ----a-w C:\Program Files\spf.msi 2007-11-11 21:50 --------- d-----w C:\Documents and Settings\Nikki\Application Data\Lavasoft 2007-11-11 18:56 --------- d-----w C:\Program Files\Morpheus 2007-11-09 23:15 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi 2007-11-01 22:36 --------- d-----w C:\Documents and Settings\Robert\Application Data\AOL 2007-10-31 17:33 --------- d-----w C:\Program Files\Common Files\AOL 2007-10-31 17:33 --------- d-----w C:\Documents and Settings\Nikki\Application Data\AOL 2007-10-31 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-10-31 17:31 --------- d-----w C:\Program Files\Common Files\aolshare 2007-10-31 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2007-10-31 17:15 --------- d-----w C:\Program Files\America Online 9.0 2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat 2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf 2007-10-22 00:01 --------- d-----w C:\Program Files\QuickTime 2007-10-19 02:04 --------- d-----w C:\Program Files\iTunes 2007-10-13 04:03 --------- d-----w C:\Documents and Settings\Robert\Application Data\Lavasoft 2007-10-09 01:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-10-09 01:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-10-09 01:30 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-10-09 01:30 --------- d-----w C:\Program Files\Symantec 2007-09-29 19:46 --------- d-----w C:\Documents and Settings\Nikki\Application Data\Viewpoint 2007-09-26 22:04 --------- d-----w C:\Documents and Settings\Robert\Application Data\Viewpoint 2007-09-26 22:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat 2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat 2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat 2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf 2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf 2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf 2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys 2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys 2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys 2006-02-03 07:55 1,321,140 ----a-w C:\Program Files\iScrobblerWin_1_1_0.exe 2005-06-08 19:27:08 900 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2007-11-13_11.44.27.23 ))))))))))))))))))))))))))))))))))))))))) . + 2007-07-31 03:19:10 271,224 ------w C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\mucltui.dll - 2006-12-19 21:52:18 8,453,632 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll + 2007-10-26 03:36:51 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll - 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe + 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\SYSTEM32\MRT.exe + 2007-07-31 03:18:34 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll - 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll + 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll - 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll + 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1189379618\ee\bak\AOLSoftware.exe ----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe ----a-w 180,269 2005-12-24 08:43:19 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe ----a-w 53,248 2004-04-11 16:43:44 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe ----a-w 290,816 2004-04-12 01:15:14 C:\Program Files\Dell\Media Experience\bak\PCMService.exe ----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe ----a-w 278,528 2005-10-07 02:03:14 C:\Program Files\iTunes\bak\iTunesHelper.exe ----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe ----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\bak\msmsgs.exe ----a-w 11,776 2005-03-12 14:25:00 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe ----a-w 110,592 2005-03-12 14:25:00 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe ----a-w 155,648 2005-11-07 00:15:44 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 118,784 2004-02-10 16:51:30 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe ----a-w 155,648 2004-02-10 16:55:32 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe ----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2BC9A29-89CF-424B-9B3D-B4C0686B3CD0}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-11-06 16:15] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 17:22] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30] "HostManager"="C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe" [2006-09-25 16:52] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 00:17:18] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58] S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys Newly Created Service - COMHOST . Contents of the 'Scheduled Tasks' folder "2007-11-17 06:51:10 C:\WINDOWS\Tasks\Disk Cleanup.job" - C:\WINDOWS\SYSTEM32\CLEANMGR.EXE "2005-04-17 06:44:05 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1098138235.job" "2007-11-17 05:07:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Nikki.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe . ************************************************************************ catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-17 14:43:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2007-11-17 14:48:13 - machine was rebooted C:\ComboFix2.txt ... 2007-11-13 11:48 . --- E O F --- Fresh Hijack log:** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:52:42 PM, on 11/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\bak\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {A2BC9A29-89CF-424B-9B3D-B4C0686B3CD0} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O15 - Trusted Zone: *.doginhispen.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195189485953 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8165 bytes

lusitano View Member Profile	Nov 20 2007, 09:49 AM Post #7
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, QUOTE Hello, I was beginning to think you had forgotten about me. NO!!! Sorry for the delay and thanks for your patience QUOTE Thank you so much for helping me. I really appreciate it! You are very wellcome! You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. 1. Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install. 2. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. 3. Please set your system to show all files. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders. Uncheck: Hide file extensions for known file types Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. 4. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FOLDER, "if present": C:\Program Files\Common Files\AOL\1189379618\ee\bak <- this FOLDER 5. Go to My Computer and browse to the following folder: C:\Program Files\Common Files\Real\Update_OB\bak Inside the BAK folder are files named realsched.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Common Files\Real\Update_OB\ Click the background with your mouse, choose Paste Now you should have the realsched.exe file in the C:\Program Files\Common Files\Real\Update_OB\ folder Now go ahead and delete the BAK folder The same thing for other files: C:\Program Files\Common Files\Sonic\Update Manager\bak Inside the BAK folder are files named sgtray.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Common Files\Sonic\Update Manager\ Click the background with your mouse, choose Paste Now you should have the sgtray.exe file in the C:\Program Files\Common Files\Sonic\Update Manager\ folder Now go ahead and delete the BAK folder C:\Program Files\CyberLink\PowerDVD\bak Inside the BAK folder are files named DVDLauncher.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\CyberLink\PowerDVD\ Click the background with your mouse, choose Paste Now you should have the DVDLauncher.exe file in the C:\Program Files\CyberLink\PowerDVD\ Now go ahead and delete the BAK folder C:\Program Files\Dell\Media Experience\bak Inside the BAK folder are files named PCMService.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Dell\Media Experience\ Click the background with your mouse, choose Paste Now you should have the PCMService.exe file in the C:\Program Files\Dell\Media Experience\ folder Now go ahead and delete the BAK folder C:\Program Files\Intel\Modem Event Monitor\bak Inside the BAK folder are files named IntelMEM.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Intel\Modem Event Monitor\ Click the background with your mouse, choose Paste Now you should have the IntelMEM.exe file in the C:\Program Files\Intel\Modem Event Monitor\ folder Now go ahead and delete the BAK folder C:\Program Files\iTunes\bak Inside the BAK folder are files named iTunesHelper.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\iTunes\ Click the background with your mouse, choose Paste Now you should have the iTunesHelper.exe file in the C:\Program Files\iTunes\ folder Now go ahead and delete the BAK folder C:\Program Files\Java\j2re1.4.2_03\bin\bak Inside the BAK folder are files named jusched.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Java\j2re1.4.2_03\bin\ Click the background with your mouse, choose Paste Now you should have the jusched.exe file in the C:\Program Files\Java\j2re1.4.2_03\bin\ folder Now go ahead and delete the BAK folder C:\Program Files\Messenger\bak Inside the BAK folder are files named msmsgs.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\Messenger\ Click the background with your mouse, choose Paste Now you should have the msmsgs.exe file in the C:\Program Files\Messenger\ folder Now go ahead and delete the BAK folder C:\Program Files\QuickTime\bak Inside the BAK folder are files named qttask.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\QuickTime\ Click the background with your mouse, choose Paste Now you should have the qttask.exe file in the C:\Program Files\QuickTime\ folder Now go ahead and delete the BAK folder C:\WINDOWS\SYSTEM32\dla\bak Inside the BAK folder are files named tfswctrl.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\WINDOWS\SYSTEM32\dla\ Click the background with your mouse, choose Paste Now you should have the tfswctrl.exe file in the C:\WINDOWS\SYSTEM32\dla\ folder Now go ahead and delete the BAK folder This step, its gone be a little diferent, because you have to move 2 files, before delete the bak folder: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak Inside the BAK folder are files named mimboot.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\MUSICMATCH\Musicmatch Jukebox\ Click the background with your mouse, choose Paste Now REPEAT for this file "mm_tray.exe" (follow the steps bellow) C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak Inside the BAK folder are files named mm_tray.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\Program Files\MUSICMATCH\Musicmatch Jukebox\ Now you should have the jmimboot.exe and mm_tray.exe files in the C:\Program Files\MUSICMATCH\Musicmatch Jukebox\ folder Now go ahead and delete the BAK folder This step, its gone be a little diferent, because you have to move 2 files, before delete the bak folder: C:\WINDOWS\SYSTEM32\bak Inside the BAK folder are files named hkcmd.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\WINDOWS\SYSTEM32\ Click the background with your mouse, choose Paste Now REPEAT for this file "igfxtray.exe" (follow the steps bellow) C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak Inside the BAK folder are files named igfxtray.exe Right click it with your mouse and choose Cut The go back to the main folder, C:\WINDOWS\SYSTEM32\ Now you should have the hkcmd.exe and igfxtray.exe files in the C:\WINDOWS\SYSTEM32\ folder Now go ahead and delete the BAK folder 6. Reboot normaly,run FindAWF again and post the log, along with a new HijackThis log. -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

MonicaNicole View Member Profile	Nov 20 2007, 11:22 PM Post #8
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	Ok, everything went well. Followed everything like you said here are the logs. Oh, on the Find AWF program you didn't say which option to pick when it first loads, so I followed your instructions from last time. I chose the first one....I hope that's the one I was supposed to pick. Anyway, here are the logs. Find AwF Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Tue 11/20/2007 The current time is: 20:11:34.92 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\COMMON~1\AOL\118937~1\EE\BAK 09/25/2006 04:52 PM 50,736 AOLSoftware.exe 1 File(s) 50,736 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe" 50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1189379618\ee\bak\AOLSoftware.exe" end of report Hijack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:14:42 PM, on 11/20/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: (no name) - {211FDA94-E4E7-4BDA-BBE3-0DB7757CDDB5} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {789C867A-F968-4826-A13F-A748A8D495F2} - (no file) O2 - BHO: (no name) - {99611D24-B521-4F62-B2CA-664521665E74} - (no file) O2 - BHO: (no name) - {A2BC9A29-89CF-424B-9B3D-B4C0686B3CD0} - (no file) O2 - BHO: (no name) - {A7460C74-475F-483E-8ECB-265D20950878} - (no file) O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file) O2 - BHO: (no name) - {fb6a4f5b-afb2-4350-ba3f-32a6f7291796} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195189485953 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: dpcrkqhi - C:\WINDOWS\ O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9150 bytes

lusitano View Member Profile	Nov 21 2007, 01:37 PM Post #9
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello, 1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present": O2 - BHO: (no name) - {211FDA94-E4E7-4BDA-BBE3-0DB7757CDDB5} - (no file) O2 - BHO: (no name) - {789C867A-F968-4826-A13F-A748A8D495F2} - (no file) O2 - BHO: (no name) - {99611D24-B521-4F62-B2CA-664521665E74} - (no file) O2 - BHO: (no name) - {A2BC9A29-89CF-424B-9B3D-B4C0686B3CD0} - (no file) O2 - BHO: (no name) - {A7460C74-475F-483E-8ECB-265D20950878} - (no file) O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file) O2 - BHO: (no name) - {fb6a4f5b-afb2-4350-ba3f-32a6f7291796} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file) O20 - Winlogon Notify: dpcrkqhi - C:\WINDOWS\ Click on button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. 2. Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C: QUOTE C:\PROGRA~1\COMMON~1\SYMANT~1\BAK C:\PROGRA~1\COMMON~1\AOL\118937~1\EE\BAK Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu. Type 3, then press Enter. Press any key to continue. A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed. Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V). Close Notepad and you will receive prompt to save the changes, click Yes. The program will proceed with working. It may take a few minutes to complete so be patient. When the scan is finished, it will open a text file in notepad called AWF.txt. Return to this thread and copy and paste the contents of the AWF.txt file in your next reply, along with a new HijackThis log. -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

MonicaNicole View Member Profile	Nov 22 2007, 12:58 AM Post #10
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	Hello, I fixed all the checked files, all of them were still present. Here are the logs. AWF Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Wed 11/21/2007 The current time is: 21:54:15.53 bak folders found ~~~~~~~~~~~ Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:58:17 PM, on 11/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195189485953 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8765 bytes

lusitano View Member Profile	Nov 23 2007, 11:28 AM Post #11
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Hello MonicaNicole, Much better, we are close to the end, good job. 1.Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below,"if still present": O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime Click on button. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Please do an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running. Regards -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

MonicaNicole View Member Profile	Nov 24 2007, 02:05 AM Post #12
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	Hi, well the computer has been running fine. I still have no pop up's or anything else that would make me think that my computer is infected. It does seem a bit sluggish from time to time, not sure if that has to do with the infection. My Norton Virus did scan today and it said it had found 4 infected files...all were Trojan.Vundo...it did say it fixed them, but I don't know if it got rid of them. The Kaspersky found some viruses and infections. When is this all going to end?? I'm so tired of this. Here are the logs from today. Kaspersky ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, November 23, 2007 10:07:44 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 24/11/2007 Kaspersky Anti-Virus database records: 464779 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 82424 Number of viruses found: 4 Number of infected objects: 11 Number of suspicious objects: 0 Duration of the scan process: 02:05:17 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\DeFtOnEsGuRlLiE\mydb.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\DeFtOnEsGuRlLiE\style.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\DeFtOnEsGuRlLiE\toolbar.lst Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\idb\SNMaster.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\CACHE\deftonesgurll02 Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\deftonesgurllie Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\deftonesgurllie.abi Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\C_AOL 9.0\organize\deftonesgurllie.aby Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstderr.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\aolstdout.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\cache.db Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\ncoc Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\3.0\server.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d2241caf3d735c0cf2074d00b031241_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11092007-151732.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\457D161B.TMP Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Nikki\Application Data\AOL\C_AOL 9.0\IDB\Apps.Lst Object is locked skipped C:\Documents and Settings\Nikki\Application Data\AOL\C_AOL 9.0\IDB\art.idx Object is locked skipped C:\Documents and Settings\Nikki\Application Data\AOL\C_AOL 9.0\IDB\sap.dat Object is locked skipped C:\Documents and Settings\Nikki\Application Data\AOL\C_AOL 9.0\IDB\spool.lst Object is locked skipped C:\Documents and Settings\Nikki\Application Data\AOL\C_AOL 9.0\IDB\sysnews.lst Object is locked skipped C:\Documents and Settings\Nikki\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Nikki\Desktop\[4]-Submit_2007-11-17@14.36.zip/atrtjnhv.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\Documents and Settings\Nikki\Desktop\[4]-Submit_2007-11-17@14.36.zip ZIP: infected - 1 skipped C:\Documents and Settings\Nikki\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped C:\Documents and Settings\Nikki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Nikki\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Nikki\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Nikki\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped C:\Documents and Settings\Nikki\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Nikki\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Nikki\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Sygate\SPF\debug.log Object is locked skipped C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0112262.exe Infected: Trojan.Win32.Obfuscated.kp skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0113307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aju skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP923\A0113308.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP924\A0113454.exe Infected: Trojan.Win32.Obfuscated.kp skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP928\A0114642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aju skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP929\A0116662.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP931\A0116721.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0120210.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP936\A0120218.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP946\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{61B802C4-AD74-4EF2-B838-C99A2EEA15B9}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{B53652BB-563F-46DB-8E4C-3A3C5D9C260D}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:00:58 PM, on 11/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\AOL 9.0\waol.exe C:\Program Files\AOL 9.0\shellmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1189379618\ee\AOLSoftware.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195189485953 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 8883 bytes

lusitano View Member Profile	Nov 28 2007, 04:52 AM Post #13
Portuguese Malware Fighter Group: HJT Team Posts: 1,443 Joined: 5-April 07 From: Portugal Member No.: 122,277	Good job, yours logs are clean Time for some housekeeping Click START then RUN Now type Combofix /u in the runbox and click OK When shown the disclaimer, Select "2" The above procedure will: Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Reset System Restore. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here: Windows XP System Restore Guide Reenable system restore with instructions from tutorial above Make your Internet Explorer more secure - This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialize and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here: Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Read the TonyKlein's good advice: So how did I get infected in the first place? Also visit the Secunia Software Inspector Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. here are some additional utilities that will enhance your safety IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software -------------------- Please do not PM me asking for support. Please be courteous, polite, and say thank you. Please post the final results, good or bad. We like to know!

MonicaNicole View Member Profile	Nov 29 2007, 11:58 PM Post #14
New Member Group: Members Posts: 14 Joined: 13-November 07 From: Southern California Member No.: 169,336	Thank you sooooo much for helping me! I can't tell you how much I appreciate it. The computer is running perfectly thanks to you. Monica

SNOWHITE View Member Profile	Nov 30 2007, 05:18 AM Post #15
missy malware magnet Group: HJT Team Posts: 2,676 Joined: 13-October 06 From: Bitola, Macedonia Member No.: 89,940	As the problem here seems to be resolved this topic is now closed. To get it reopened PM a staff member with the address of this thread. This applies to the topic starter only, everyone else with similar problems start a new topic. Glad we could help -------------------- SNOWHITE

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th February 2010 - 11:32 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides