Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox And Ie Acting Weird


  • This topic is locked This topic is locked
22 replies to this topic

#1 Danish989

Danish989

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 19 October 2007 - 09:10 AM

Ok, my first problem is, that since a few days Internet Explorer just crashes when I run it. It doesn't completely crash, but goes into this crashed state and starts working only after a few minutes.

My next problem was, I was getting CiD Popups in Mozilla Firefox and whenever I tried checking my email at hotmail, firefox would redirect me to www.sponsorenet.com

I updated Spybot SnD and Adaware as well as Spyware Blaster and did a scan in safe mode. Spybot found CiD and other problems, and I fixed them, and CiD seems to be gone .. but Internet Explorer still crashes and fails to run as it should.

Furthermore, after doing the scans in safemode, I saved a Hijack This log as a precautionary measure.
Here it is:

----------- Hijack This Log In Safe Mode --------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:45 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winamp.com/support/help/50/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.saudi.net.sa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O1 - Hosts: 208.109.221.107 leader.linkexchange.com
O1 - Hosts: 208.109.221.107 c5.zedo.com
O1 - Hosts: 208.109.221.107 as.casalemedia.com
O1 - Hosts: 208.109.221.107 pn1.adserver.yahoo.com #ebay
O1 - Hosts: 208.109.221.107 dewb.opt.fimserve.com
O1 - Hosts: 208.109.221.107 desk.opt.fimserve.com
O1 - Hosts: 208.109.221.107 dehp.opt.fimserve.com
O1 - Hosts: 208.109.221.107 adserving.cpxinteractive.com
O1 - Hosts: 208.109.221.107 ad.doubleclick.net
O1 - Hosts: 208.109.221.107 altfarm.mediaplex.com # download.com
O1 - Hosts: 208.109.221.107 ad.n2434.doubleclick.net # download.com
O1 - Hosts: 208.109.221.107 mads.download.com # download.com
O1 - Hosts: 208.109.221.107 mads.cnet.com # download.com
O1 - Hosts: 208.109.221.107 mads.com.com
O1 - Hosts: 38.113.170.200 ads1.msn.com
O1 - Hosts: 38.113.170.200 ads.sup.com
O1 - Hosts: 208.109.221.107 delb.opt.fimserve.com
O1 - Hosts: 38.113.174.32 dehp.myspace.com
O1 - Hosts: 38.113.174.32 demr.myspace.com
O1 - Hosts: 38.113.174.32 desk.myspace.com
O1 - Hosts: 38.113.174.32 delb.myspace.com
O1 - Hosts: 38.113.174.32 delb2.myspace.com
O1 - Hosts: 38.113.174.32 debr.myspace.com
O1 - Hosts: 38.113.174.32 view.atdmt.com
O1 - Hosts: 38.113.170.200 rad.msn.com
O1 - Hosts: 38.113.170.200 themis.geocities.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [DRam prosessor] plscd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\Vga Browse.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Trayhold] C:\DOCUME~1\XPPRESP3\APPLIC~1\BALLCA~1\Kind link size.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109w.bay109.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Kornd?rfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 9970 bytes

----------------------


here's a hijack this log, after I rebooted my computer :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:43 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sw20.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winamp.com/support/help/50/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.saudi.net.sa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O1 - Hosts: 208.109.221.107 leader.linkexchange.com
O1 - Hosts: 208.109.221.107 c5.zedo.com
O1 - Hosts: 208.109.221.107 as.casalemedia.com
O1 - Hosts: 208.109.221.107 pn1.adserver.yahoo.com #ebay
O1 - Hosts: 208.109.221.107 dewb.opt.fimserve.com
O1 - Hosts: 208.109.221.107 desk.opt.fimserve.com
O1 - Hosts: 208.109.221.107 dehp.opt.fimserve.com
O1 - Hosts: 208.109.221.107 adserving.cpxinteractive.com
O1 - Hosts: 208.109.221.107 ad.doubleclick.net
O1 - Hosts: 208.109.221.107 altfarm.mediaplex.com # download.com
O1 - Hosts: 208.109.221.107 ad.n2434.doubleclick.net # download.com
O1 - Hosts: 208.109.221.107 mads.download.com # download.com
O1 - Hosts: 208.109.221.107 mads.cnet.com # download.com
O1 - Hosts: 208.109.221.107 mads.com.com
O1 - Hosts: 38.113.170.200 ads1.msn.com
O1 - Hosts: 38.113.170.200 ads.sup.com
O1 - Hosts: 208.109.221.107 delb.opt.fimserve.com
O1 - Hosts: 38.113.174.32 dehp.myspace.com
O1 - Hosts: 38.113.174.32 demr.myspace.com
O1 - Hosts: 38.113.174.32 desk.myspace.com
O1 - Hosts: 38.113.174.32 delb.myspace.com
O1 - Hosts: 38.113.174.32 delb2.myspace.com
O1 - Hosts: 38.113.174.32 debr.myspace.com
O1 - Hosts: 38.113.174.32 view.atdmt.com
O1 - Hosts: 38.113.170.200 rad.msn.com
O1 - Hosts: 38.113.170.200 themis.geocities.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [DRam prosessor] plscd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\Vga Browse.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Trayhold] C:\DOCUME~1\XPPRESP3\APPLIC~1\BALLCA~1\Kind link size.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109w.bay109.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Kornd?rfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 11456 bytes

---------------------------------------

Also, I can't see as many icons at the taskbar as I used to anymore (there used to be a lot) Including volume control. It just doesn't show up when my computer starts ...

And I still cant check my mail via firefox, its still redirecting to sponsorenet.com ...

Please Help me get rid of all the problems you can find through the hijack this log and tell me how to make internet explorer work again ...

PS: I think MSN Messenger has something to do with the internet explorer problem, because I noticed a weird process running via taskmanager when internet explorer started acting weird, and I did a google search and people had pinpointed it to msn messenger. I don't remember the process name, and it doesn't run anymore. Also, the ads at the bottom of msn messenger don't show up anymore and another process called livecall.exe is running, but I don't know what that is ...

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 20 October 2007 - 05:50 PM

Hello Danish989,

Any idea where you got whataboutadog and doginhispen from?


Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 20 October 2007 - 06:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 21 October 2007 - 10:21 AM

Hii, and thanks for the quick reply :thumbsup:


I have no idea where I got doginhispen or that other thingy from, and I don't even know who Vanessa Ann Hudgens is. Sorry.

Here's the AWF Log:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 10/21/2007
The current time is: 18:07:08.09


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

06/29/2006 01:01 AM 32,768 V0220Mon.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
06/29/2005 11:08 AM 212,992 sw20.exe
07/04/2005 07:29 AM 69,632 sw24.exe
3 File(s) 438,272 bytes

Directory of C:\PROGRA~1\TASKSW~1\BAK

07/27/2005 09:00 PM 61,952 TaskSwitchXP.exe
1 File(s) 61,952 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/19/2006 07:44 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\LIVEUP~1\BAK

12/13/2003 07:17 PM 61,440 LiveUpdate.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DAEMON~1\BAK

11/12/2006 01:48 PM 157,592 daemon.exe
1 File(s) 157,592 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

06/18/2007 01:01 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\KSE\NHANCE~1\BAK

04/22/2007 03:43 PM 1,110,016 nHancer.exe
1 File(s) 1,110,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 07:00 PM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

06/15/2006 12:36 PM 229,376 LAUNCH~1.EXE
06/27/2006 04:21 PM 1,449,984 PcSync2.exe
2 File(s) 1,679,360 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/30/2006 09:38 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

06/21/2002 12:01 PM 188,416 hpztsb05.exe
1 File(s) 188,416 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 3 2007 "C:\WINDOWS\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\bak\V0220Mon.exe"
32768 Jun 29 2006 "C:\Live! Cam\Live! Cam Video IM\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\CtDrvInstall\{76303232-30646576-0000000000000000}\V0220Mon.exe"
28172 Oct 3 2007 "C:\WINDOWS\system32\sw20.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\bak\sw20.exe"
28172 Oct 3 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
28172 Oct 3 2007 "C:\WINDOWS\system32\sw24.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\bak\sw24.exe"
28172 Oct 3 2007 "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
61952 Jul 27 2005 "C:\Program Files\TaskSwitchXP\bak\TaskSwitchXP.exe"
28172 Oct 3 2007 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
28172 Oct 3 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Dec 19 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 3 2007 "C:\Program Files\LIVEUPDATE\LiveUpdate.exe"
61440 Dec 13 2003 "C:\Program Files\LIVEUPDATE\bak\LiveUpdate.exe"
28172 Oct 3 2007 "C:\Program Files\DAEMON Tools\daemon.exe"
157592 Nov 12 2006 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
52272 Feb 15 2007 "C:\Program Files\Google\googletoolbar3user.exe"
26694 Oct 2 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
4927488 Jul 11 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
28172 Oct 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
138168 Feb 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
1606064 Jan 18 2007 "D:\googletalk-setup.exe"
13736064 Aug 1 2006 "E:\Setup Files\GoogleEarthWin.exe"
540320 Apr 25 2005 "E:\Setup Files\GooGLe TooLBaR\GoogleToolbarInstaller.exe"
13411824 Oct 2 2007 "H:\Google_Earth_BZXD.exe"
28172 Oct 3 2007 "C:\Program Files\KSE\nHancer 32bit\nHancer.exe"
1110016 Apr 22 2007 "C:\Program Files\KSE\nHancer 32bit\bak\nHancer.exe"
28172 Oct 3 2007 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
28172 Oct 3 2007 "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe"
1449984 Jun 27 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\PcSync2.exe"
28172 Oct 3 2007 "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe"
229376 Jun 15 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\LAUNCH~1.EXE"
28172 Oct 3 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 30 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
28172 Oct 3 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
188416 Jun 21 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb05.exe"


end of report
---------------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 21 October 2007 - 12:24 PM

Hi Danish989,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\WINDOWS\bak\V0220Mon.exe"
"C:\WINDOWS\system32\bak\sw20.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\WINDOWS\system32\bak\sw24.exe"
"C:\Program Files\TaskSwitchXP\bak\TaskSwitchXP.exe"
"C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\LIVEUPDATE\bak\LiveUpdate.exe"
"C:\Program Files\KSE\nHancer 32bit\bak\nHancer.exe"
"C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
"C:\Program Files\Nokia\Nokia PC Suite 6\bak\PcSync2.exe"
"C:\Program Files\Nokia\Nokia PC Suite 6\bak\LAUNCH~1.EXE"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb05.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 21 October 2007 - 05:39 PM

Just a few minutes ago, my computer suddenly slowed down a lot, and when I ran task manager I saw two processes called
"iexplorer" running, even when there were no open Internet Explorer windows. And if you terminate them, they just start running again. I took a screenshot.

I quickly disconnected my computer from the internet and ran FindAWF and did as you said. Here's the log file:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 10/22/2007
The current time is: 1:17:07.78


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

06/29/2006 01:01 AM 32,768 V0220Mon.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
06/29/2005 11:08 AM 212,992 sw20.exe
07/04/2005 07:29 AM 69,632 sw24.exe
3 File(s) 438,272 bytes

Directory of C:\PROGRA~1\TASKSW~1\BAK

07/27/2005 09:00 PM 61,952 TaskSwitchXP.exe
1 File(s) 61,952 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/19/2006 07:44 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\LIVEUP~1\BAK

12/13/2003 07:17 PM 61,440 LiveUpdate.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DAEMON~1\BAK

11/12/2006 01:48 PM 157,592 daemon.exe
1 File(s) 157,592 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

06/18/2007 01:01 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\KSE\NHANCE~1\BAK

04/22/2007 03:43 PM 1,110,016 nHancer.exe
1 File(s) 1,110,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 07:00 PM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

06/15/2006 12:36 PM 229,376 LAUNCH~1.EXE
06/27/2006 04:21 PM 1,449,984 PcSync2.exe
2 File(s) 1,679,360 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/30/2006 09:38 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

06/21/2002 12:01 PM 188,416 hpztsb05.exe
1 File(s) 188,416 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 Jun 29 2006 "C:\WINDOWS\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\bak\V0220Mon.exe"
32768 Jun 29 2006 "C:\Live! Cam\Live! Cam Video IM\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\CtDrvInstall\{76303232-30646576-0000000000000000}\V0220Mon.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\sw20.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\bak\sw20.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\sw24.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\bak\sw24.exe"
61952 Jul 27 2005 "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
61952 Jul 27 2005 "C:\Program Files\TaskSwitchXP\bak\TaskSwitchXP.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
282624 Dec 19 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Dec 19 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
61440 Dec 13 2003 "C:\Program Files\LIVEUPDATE\LiveUpdate.exe"
61440 Dec 13 2003 "C:\Program Files\LIVEUPDATE\bak\LiveUpdate.exe"
28172 Oct 3 2007 "C:\Program Files\DAEMON Tools\daemon.exe"
157592 Nov 12 2006 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
52272 Feb 15 2007 "C:\Program Files\Google\googletoolbar3user.exe"
26694 Oct 2 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
4927488 Jul 11 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
28172 Oct 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
138168 Feb 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
1606064 Jan 18 2007 "D:\googletalk-setup.exe"
13736064 Aug 1 2006 "E:\Setup Files\GoogleEarthWin.exe"
540320 Apr 25 2005 "E:\Setup Files\GooGLe TooLBaR\GoogleToolbarInstaller.exe"
13411824 Oct 2 2007 "H:\Google_Earth_BZXD.exe"
1110016 Apr 22 2007 "C:\Program Files\KSE\nHancer 32bit\nHancer.exe"
1110016 Apr 22 2007 "C:\Program Files\KSE\nHancer 32bit\bak\nHancer.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
1449984 Jun 27 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe"
1449984 Jun 27 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\PcSync2.exe"
229376 Jun 15 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe"
229376 Jun 15 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\LAUNCH~1.EXE"
180269 Nov 30 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 30 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
188416 Jun 21 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
188416 Jun 21 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb05.exe"


end of report

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 21 October 2007 - 06:12 PM

Hi Danish989,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

*********************

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\DAEMON Tools\bak\daemon.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply

Edited by SifuMike, 21 October 2007 - 06:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 22 October 2007 - 09:21 AM

SDFix Report:
------------
SDFix: Version 1.110

Run by XPPRESP3 on Mon 10/22/2007 at 05:03 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\XPPRESP3\LOCALS~1\Temp\abc123.pid - Deleted
C:\WINDOWS\system32\winsys.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe"="C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\EasyConfigurator.exe:*:Enabled:LaunchAnywhere GUI"
"C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\UninstallerData\\Uninstall.exe"="C:\\Program Files\\U.S. Robotics\\EasyConfigurator\\UninstallerData\\Uninstall.exe:*:Enabled:LaunchAnywhere GUI"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"D:\\utorrent.exe"="D:\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi"
"E:\\Midtown Madness 2\\Midtown2.exe"="E:\\Midtown Madness 2\\Midtown2.exe:*:Enabled:Midtown Madness 2"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Windows Media Player\\wmlaunch.exe"="C:\\Program Files\\Windows Media Player\\wmlaunch.exe:*:Enabled:wmlaunch"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Leaf Networks\\Leaf 2006\\bin\\Leaf 2006.exe"="C:\\Program Files\\Leaf Networks\\Leaf 2006\\bin\\Leaf 2006.exe:*:Enabled:Leaf 2006"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:nsu_ui_client"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."
"E:\\UPP 2.00\\mirc_upp.exe"="E:\\UPP 2.00\\mirc_upp.exe:*:Enabled:mIRC"
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\JAVAW.EXE"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\JAVAW.EXE:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\JAP\\jap.exe"="C:\\Program Files\\JAP\\jap.exe:*:Enabled:JAP"
"C:\\Program Files\\MSN Messenger 7.5\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger 7.5\\msnmsgr.exe:*:Enabled:MSN Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"H:\\Half Life 2\\hl2.exe"="H:\\Half Life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe:*:Enabled:RealPlayer"
"H:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="H:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\KSAFone\\ksafone.exe"="C:\\Program Files\\KSAFone\\ksafone.exe:*:Enabled:ksafone Module"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 4 Aug 2004 1,042,903 A..HR --- "C:\WINDOWS\SET3.tmp"
Wed 4 Aug 2004 1,086,058 A..HR --- "C:\WINDOWS\SET4.tmp"
Wed 4 Aug 2004 13,753 A..HR --- "C:\WINDOWS\SET8.tmp"
Mon 21 Mar 2005 29,491 A..HR --- "C:\WINDOWS\SET31.tmp"
Sat 19 Mar 2005 13,574 A..HR --- "C:\WINDOWS\SET32.tmp"
Sat 19 Mar 2005 10,786 A..HR --- "C:\WINDOWS\SET33.tmp"
Sat 19 Mar 2005 16,497 A..HR --- "C:\WINDOWS\SET34.tmp"
Sun 20 Mar 2005 18,199 A..HR --- "C:\WINDOWS\SET35.tmp"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbda1.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbda2.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbda3.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbdurdu.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbddiv1.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbddiv2.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbdsyr1.dll"
Thu 23 Aug 2001 5,632 A..HR --- "C:\WINDOWS\system32\kbdsyr2.dll"
Thu 18 Nov 2004 347,136 A..HR --- "C:\WINDOWS\system32\hypertrm.dll"
Tue 19 Dec 2006 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Sat 9 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Wed 15 Aug 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Thu 1 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sun 4 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"

Finished!





FindAWF Log:
----------------------

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 10/22/2007
The current time is: 16:57:54.89


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

06/29/2006 01:01 AM 32,768 V0220Mon.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 10:50 AM 155,648 NeroCheck.exe
06/29/2005 11:08 AM 212,992 sw20.exe
07/04/2005 07:29 AM 69,632 sw24.exe
3 File(s) 438,272 bytes

Directory of C:\PROGRA~1\TASKSW~1\BAK

07/27/2005 09:00 PM 61,952 TaskSwitchXP.exe
1 File(s) 61,952 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/19/2006 07:44 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\LIVEUP~1\BAK

12/13/2003 07:17 PM 61,440 LiveUpdate.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DAEMON~1\BAK

11/12/2006 01:48 PM 157,592 daemon.exe
1 File(s) 157,592 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

06/18/2007 01:01 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\KSE\NHANCE~1\BAK

04/22/2007 03:43 PM 1,110,016 nHancer.exe
1 File(s) 1,110,016 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 07:00 PM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

06/15/2006 12:36 PM 229,376 LAUNCH~1.EXE
06/27/2006 04:21 PM 1,449,984 PcSync2.exe
2 File(s) 1,679,360 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/30/2006 09:38 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

06/21/2002 12:01 PM 188,416 hpztsb05.exe
1 File(s) 188,416 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 Jun 29 2006 "C:\WINDOWS\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\bak\V0220Mon.exe"
32768 Jun 29 2006 "C:\Live! Cam\Live! Cam Video IM\V0220Mon.exe"
32768 Jun 29 2006 "C:\WINDOWS\CtDrvInstall\{76303232-30646576-0000000000000000}\V0220Mon.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\sw20.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\bak\sw20.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\sw24.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\bak\sw24.exe"
61952 Jul 27 2005 "C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe"
61952 Jul 27 2005 "C:\Program Files\TaskSwitchXP\bak\TaskSwitchXP.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
282624 Dec 19 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Dec 19 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
61440 Dec 13 2003 "C:\Program Files\LIVEUPDATE\LiveUpdate.exe"
61440 Dec 13 2003 "C:\Program Files\LIVEUPDATE\bak\LiveUpdate.exe"
157592 Nov 12 2006 "C:\Program Files\DAEMON Tools\daemon.exe"
157592 Nov 12 2006 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
52272 Feb 15 2007 "C:\Program Files\Google\googletoolbar3user.exe"
26694 Oct 2 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
4927488 Jul 11 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe"
68856 Jun 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
138168 Feb 15 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
1606064 Jan 18 2007 "D:\googletalk-setup.exe"
13736064 Aug 1 2006 "E:\Setup Files\GoogleEarthWin.exe"
540320 Apr 25 2005 "E:\Setup Files\GooGLe TooLBaR\GoogleToolbarInstaller.exe"
13411824 Oct 2 2007 "H:\Google_Earth_BZXD.exe"
1110016 Apr 22 2007 "C:\Program Files\KSE\nHancer 32bit\nHancer.exe"
1110016 Apr 22 2007 "C:\Program Files\KSE\nHancer 32bit\bak\nHancer.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"
1449984 Jun 27 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe"
1449984 Jun 27 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\PcSync2.exe"
229376 Jun 15 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe"
229376 Jun 15 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\LAUNCH~1.EXE"
180269 Nov 30 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 30 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
188416 Jun 21 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
188416 Jun 21 2002 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb05.exe"


end of report



Hijack This! Log:
---------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:00 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\V0220Mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://winamp.com/support/help/50/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.saudi.net.sa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [V0220Mon.exe] C:\WINDOWS\V0220Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [stupid creative poll axis] C:\Documents and Settings\All Users\Application Data\Memo save stupid creative\Vga Browse.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Trayhold] C:\DOCUME~1\XPPRESP3\APPLIC~1\BALLCA~1\Kind link size.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109w.bay109.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{761C38E1-8A6D-4964-B5A9-2E9788C2B241}: NameServer = 213.166.129.3,213.166.129.4
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nHancer Support (nHancer) - KSE - Kornd?rfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 10096 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 22 October 2007 - 12:31 PM

Hi Danish989,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\WINDOWS\system32\bak
C:\Program Files\TaskSwitchXP\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\QuickTime\bak
C:\Program Files\LIVEUPDATE\bak
C:\Program Files\DAEMON Tools\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\KSE\nHancer 32bit\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak
C:\Program Files\Nokia\Nokia PC Suite 6\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 22 October 2007 - 06:51 PM

Here's the FindAWF Report:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/23/2007
The current time is: 2:35:28.95


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\SYSTEM32\BAK

06/29/2005 11:08 AM 212,992 sw20.exe
07/04/2005 07:29 AM 69,632 sw24.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 07:00 PM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

212992 Jun 29 2005 "C:\WINDOWS\system32\sw20.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\bak\sw20.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\sw24.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\bak\sw24.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"


end of report

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 22 October 2007 - 10:12 PM

Hi Danish989,

Please double-click the FindAWF icon once again
We still have to remove several folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\system32\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Hewlett-Packard\OrderReminder\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 23 October 2007 - 07:40 AM

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/23/2007
The current time is: 15:30:23.09


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\SYSTEM32\BAK

06/29/2005 11:08 AM 212,992 sw20.exe
07/04/2005 07:29 AM 69,632 sw24.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 01:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\ORDERR~1\BAK

01/30/2006 07:00 PM 98,304 OrderReminder.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

212992 Jun 29 2005 "C:\WINDOWS\system32\sw20.exe"
212992 Jun 29 2005 "C:\WINDOWS\system32\bak\sw20.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\sw24.exe"
69632 Jul 4 2005 "C:\WINDOWS\system32\bak\sw24.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"
98304 Jan 30 2006 "C:\Program Files\Hewlett-Packard\OrderReminder\bak\OrderReminder.exe"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 23 October 2007 - 12:06 PM

Hi Danish989,

Looks like Option 3 did not work, so we will remove the bak forders manually.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, delete the following folders in bold

C:\WINDOWS\system32\bak <== folder
C:\Program Files\Spybot - Search & Destroy\bak <== folder
C:\Program Files\Hewlett-Packard\OrderReminder\bak<== folder

Now run FindAWF with Option 1 and post the FindAWF log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 23 October 2007 - 12:36 PM

I manually deleted the specified folders as you told me to. Here's a new FindAWF Report:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 10/23/2007
The current time is: 20:24:25.59


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ARES\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DAEMON~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK

0 File(s) 0 bytes

Directory of H:\HALFLI~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:12 PM

Posted 23 October 2007 - 12:55 PM

Using Windows Explorer, delete the following folders in bold


C:\PROGRA~1\MSNMES~1\BAK <== folder
C:\PROGRA~1\ARES\BAK <== folder
C:\PROGRA~1\DAEMON~2\BAK <== folder
C:\PROGRA~1\ENDTASK\ENDTAS~1\BAK <== folder
C:\PROGRA~1\CREATIVE\CREATI~1\VIDEOFX\BAK <== folder
H:\HALFLI~1\BAK <== folder


Now run FindAWF with Option 1 and post the FindAWF log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Danish989

Danish989
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 23 October 2007 - 06:02 PM

I've got some good news and some bad news.

Good news:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/24/2007
The current time is: 1:49:45.82


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


Bad News : The CiD Popups are back =\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users