Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many Popups Slow Computer


  • Please log in to reply
14 replies to this topic

#1 looney2340

looney2340

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 28 October 2007 - 10:30 PM

HELLO EVERYONE I HAVE ANOTHER POST IM WORKING ON A FRIENDS COMPUTER SHE WAS COMPLAINING OF A SLOW COMPUTER AND MANY MANY POPUPS AND NOT BEING ABLE TO GET ONLINE. WHEN OPENING INTERNET EXPLORER DOES NOT CONNECT TO ANY WEB SITE. ON HER DESKTOP SHE NOW HAS A YELLOW TRIANGLE THAT SAYS CLICK TO FIND AND FIX ERRORS WHICH WE KNOW IS NOT GOOD. I INSTALLED AND RAN SPYBOT IT DID FIND FILES AND DID DELETE ALOT ALSO RAN VUNDOFIX IT DID FIND ABOUT 8 FILES THAT IT ALSO DELETED. WHEN SPYBOT IS RUN THERE IS A PROCESS I BELIEVE THE COMMAND.EXE OR SOMETHING CLOSE TO THAT EFFECT THAT IT STATES IS POTENTIALLY BAD AND SHUTS IT DOWN AND RUNS SPYBOT WHEN WINDOWS STARTS. I INSTALLED AD-ADWRE 2007 BUT THE COMPUTER HAS A HARD TIME STAYING ONLINE THAT I CAN NOT UPDATE THE DEFINITION FILES.....I DID RUN A HIGH JACK THIS LOG AND CLEANED UP WHAT I KNEW HERE IS A COPY OF THE LOG I HAVE NOW......I WILL BE USING MY COMPUTER TO GET ONLINE AND CARRY OUT ANY INSTRUCTIONS BEING HERS IS UNABLE TO CONNECT AND STAY ONLINE........THANKS FOR YOUR HELP ONE MORE TIME

P.S SHE DOES HAVE NORTON INSTALLED ON HER COMPUTER WHICH DOES NOT START AT WINDOWS LOAD I WILL TRY AND UPDATE AND DO A SCAN ONCE I DO GET ONLINE I WILL RUN BITDEFENDER ONLINE TO CHECK FOR ANY VIRUSES




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:12 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\WINDOWS\winshow.exe
C:\Program Files\Words\Words.exe
C:\Program Files\ISM2\ISMPack7.exe
C:\Program Files\ISM\ISMModule8.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\LSUpdateManager.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O15 - Trusted Zone: *.whataboutadog.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\profsyv.html

--
End of file - 6562 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 02 November 2007 - 04:17 PM

Please download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.

#3 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 02 November 2007 - 10:07 PM

Hello,

Thank you for your reply i know how busy you guys are. Here is my new highjack this and FindAWF log.
While waiting for your reply i have installed AVG anti-spyware and ran a scan it did find many torjans and downloaders and deleted them. I also did a little looking into my highjack this log and uninstalled and deleted the following 2 entries:

O4 - HKCU\..\Run: [ISMPack7] "C:\Program Files\ISM2\ISMPack7.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"


I have been unable to run a scan with norton it will not start at all and i am also unable to run a bit defender scan online there is some trouble with the active X file when it tries to run after it is downloaded.

In my windows folder i am also seeing 2 system32 folders i dont think that is correct am i to assume this is part of the infection i have?




Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 11/02/2007
The current time is: 22:56:24.45


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\AOL9~1.0A\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

12/11/2003 07:35 PM 70,800 UrlLstCk.exe
1 File(s) 70,800 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/30/2004 08:05 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

12/30/2005 11:46 AM 95,960 SNDMon.exe
1 File(s) 95,960 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/19/2005 07:59 AM 126,976 hkcmd.exe
10/19/2005 07:59 AM 155,648 igfxtray.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/22/2004 05:45 PM 71,280 ccApp.exe
11/21/2003 04:04 PM 124,096 cfgwiz.exe
2 File(s) 195,376 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/11/2004 11:43 AM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/09/2007 09:34 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

04/19/2004 02:45 PM 131,072 mm_tray.exe
04/19/2004 02:45 PM 53,248 mmtask.exe
2 File(s) 184,320 bytes

Directory of C:\PROGRA~1\MYSPACE\IM\BAK

08/13/2007 07:04 PM 5,562,368 MySpaceIM.exe
1 File(s) 5,562,368 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

12/05/2003 10:08 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/02/2006 02:29 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 01:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116153~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 11 2007 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
45139 Aug 9 2003 "C:\Program Files\America Online 9.0\aol.exe"
50736 Jan 23 2007 "C:\Program Files\AOL 9.0\aol.exe"
26636 Oct 11 2007 "C:\Program Files\AOL 9.0a\AOL.EXE"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0b\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0a\bak\AOL.EXE"
26636 Oct 11 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
26636 Oct 11 2007 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
26636 Oct 11 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 30 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
26636 Oct 11 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
95960 Dec 30 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE"
26636 Oct 11 2007 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
126976 Oct 19 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
26636 Oct 11 2007 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Oct 19 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\igfxtray.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe"
124096 Nov 21 2003 "C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe"
26636 Oct 11 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
26636 Oct 11 2007 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
26636 Oct 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 May 2 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 21 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
26636 Oct 11 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
26636 Oct 11 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
26636 Oct 11 2007 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
26636 Oct 11 2007 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
26636 Oct 11 2007 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 May 2 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
26636 Oct 11 2007 "C:\Program Files\MySpace\IM\MySpaceIM.exe"
5562368 Aug 13 2007 "C:\Program Files\MySpace\IM\bak\MySpaceIM.exe"
26636 Oct 11 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 11 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
26636 Oct 11 2007 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
26636 Oct 11 2007 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50760 Sep 29 2006 "C:\Program Files\AOL\RC\EE\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe"


end of report





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:42 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {B3870377-35D7-444D-3CBC-077F2F91FB2D} - C:\Program Files\Internet Explorer\lavuh119.dll (file missing)
O2 - BHO: (no name) - {BA7C5868-F711-422A-9110-44E3B6A1BE6D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CB13E61C-6BD8-4CA6-AF48-8572DDBDD421} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O15 - Trusted Zone: *.whataboutadog.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7063 bytes

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 03 November 2007 - 05:42 AM

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\AOL 9.0a\bak\AOL.EXE"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SymNetDrv\bak\SNDMon.exe"
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
"C:\Program Files\MySpace\IM\bak\MySpaceIM.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply, along with a new HijackThis log

#5 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 03 November 2007 - 09:25 AM

Thanks for the quick reply here are my new logs:




Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sat 11/03/2007
The current time is: 10:20:07.81


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\AOL9~1.0A\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

12/11/2003 07:35 PM 70,800 UrlLstCk.exe
1 File(s) 70,800 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/30/2004 08:05 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

12/30/2005 11:46 AM 95,960 SNDMon.exe
1 File(s) 95,960 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

10/19/2005 07:59 AM 126,976 hkcmd.exe
10/19/2005 07:59 AM 155,648 igfxtray.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/22/2004 05:45 PM 71,280 ccApp.exe
11/21/2003 04:04 PM 124,096 cfgwiz.exe
2 File(s) 195,376 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/11/2004 11:43 AM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/09/2007 09:34 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

04/19/2004 02:45 PM 131,072 mm_tray.exe
04/19/2004 02:45 PM 53,248 mmtask.exe
2 File(s) 184,320 bytes

Directory of C:\PROGRA~1\MYSPACE\IM\BAK

08/13/2007 07:04 PM 5,562,368 MySpaceIM.exe
1 File(s) 5,562,368 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

12/05/2003 10:08 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/02/2006 02:29 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 01:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116153~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
45139 Aug 9 2003 "C:\Program Files\America Online 9.0\aol.exe"
50736 Jan 23 2007 "C:\Program Files\AOL 9.0\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0a\AOL.EXE"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0b\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0a\bak\AOL.EXE"
460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
77824 Sep 30 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 30 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
95960 Dec 30 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
95960 Dec 30 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE"
126976 Oct 19 2005 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
126976 Oct 19 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\hkcmd.exe"
155648 Feb 10 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Oct 19 2005 "C:\WINDOWS\SYSTEM32\igfxtray.exe"
155648 Oct 19 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0004\DriverFiles\igfxtray.exe"
71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
124096 Nov 21 2003 "C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe"
124096 Nov 21 2003 "C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 May 2 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 21 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 May 2 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
5562368 Aug 13 2007 "C:\Program Files\MySpace\IM\MySpaceIM.exe"
5562368 Aug 13 2007 "C:\Program Files\MySpace\IM\bak\MySpaceIM.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
180269 May 2 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50760 Sep 29 2006 "C:\Program Files\AOL\RC\EE\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe"


end of report




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:12 AM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {B3870377-35D7-444D-3CBC-077F2F91FB2D} - C:\Program Files\Internet Explorer\lavuh119.dll (file missing)
O2 - BHO: (no name) - {BA7C5868-F711-422A-9110-44E3B6A1BE6D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CB13E61C-6BD8-4CA6-AF48-8572DDBDD421} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O15 - Trusted Zone: *.whataboutadog.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7082 bytes

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 03 November 2007 - 09:34 AM

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


"C:\WINDOWS\bak"
"C:\Program Files\AOL 9.0a\bak"
"C:\Program Files\DellSupport\bak"
"C:\Program Files\Norton Internet Security\bak"
"C:\Program Files\QuickTime\bak"
"C:\Program Files\SymNetDrv\bak"
"C:\WINDOWS\SYSTEM32\bak"
"C:\WINDOWS\SYSTEM32\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\Common Files\Symantec Shared\bak"
"C:\Program Files\CyberLink\PowerDVD\bak"
"C:\Program Files\Dell\Media Experience\bak"
"C:\Program Files\Google\GoogleToolbarNotifier\bak"
"C:\Program Files\HP\hpcoretech\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\Intel\Modem Event Monitor\bak"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak"
"C:\Program Files\MySpace\IM\bak"
"C:\WINDOWS\SYSTEM32\dla\bak"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak"
"C:\Program Files\Common Files\Real\Update_OB\bak"
"C:\Program Files\Common Files\Sonic\Update Manager\bak"
"C:\Program Files\Creative\SBLive\Diagnostics\bak"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak"


Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Download the latest version of ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#7 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 03 November 2007 - 01:14 PM

Thanks again here are all my new logs :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:28 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {B3870377-35D7-444D-3CBC-077F2F91FB2D} - C:\Program Files\Internet Explorer\lavuh119.dll (file missing)
O2 - BHO: (no name) - {BA7C5868-F711-422A-9110-44E3B6A1BE6D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CB13E61C-6BD8-4CA6-AF48-8572DDBDD421} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7796 bytes



ComboFix 07-11-01.1 - JOYCE BOWERS 2007-11-03 13:46:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.159 [GMT -5:00]Running from: C:\Documents and Settings\JOYCE BOWERS\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\JOYCE BOWERS\Application Data\MANTEC~1
C:\Documents and Settings\JOYCE BOWERS\Desktop\Live Safety Center.lnk
C:\Documents and Settings\JOYCE BOWERS\Desktop\Online Security Guide.lnk
C:\Documents and Settings\JOYCE BOWERS\Favorites\Online Security Guide.lnk
C:\Documents and Settings\JOYCE BOWERS\My Documents\ECURIT~1
C:\Program Files\Temporary
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1194101970.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\b111.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\sembly~1
C:\WINDOWS\SYSTEM32\ddllawvk.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\edeypppx.ini
C:\WINDOWS\system32\hfbiltov.dllbox
C:\WINDOWS\system32\hnnlumqu.dll
C:\WINDOWS\system32\iuurfywp.dll
C:\WINDOWS\SYSTEM32\jjkkj.bak1
C:\WINDOWS\SYSTEM32\jjkkj.bak2
C:\WINDOWS\SYSTEM32\jjkkj.ini
C:\WINDOWS\system32\k1
C:\WINDOWS\system32\k1\kotedrvr4.exe
C:\WINDOWS\system32\katzppd.exe
C:\WINDOWS\system32\kvwalldd.dll
C:\WINDOWS\system32\nnfepmqq.dllbox
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\uqmulnnh.ini
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\xpppyede.dll
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\ystem3~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 13:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 11:02 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-10-31 00:01 <DIR> d-------- C:\Documents and Settings\JOYCE BOWERS\Application Data\Grisoft
2007-10-31 00:00 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-29 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 21:48 589 --a------ C:\WINDOWS\SYSTEM32\ohqbcboi.dll
2007-10-29 00:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-29 00:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-28 21:49 589 --a------ C:\WINDOWS\SYSTEM32\qsdsvbrl.dll
2007-10-28 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-28 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-28 21:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-28 18:58 <DIR> d-------- C:\Program Files\InterMute
2007-10-28 18:23 <DIR> d-------- C:\VundoFix Backups
2007-10-28 09:22 <DIR> d-------- C:\WINDOWS\pss
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-17 08:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\pod2
2007-10-17 08:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\cap1
2007-10-17 08:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\bib1
2007-10-17 08:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\bco2
2007-10-17 08:29 <DIR> d--hs---- C:\WINDOWS\Sk9ZQ0UgQk9XRVJT
2007-10-17 08:29 <DIR> d-------- C:\Temp
2007-10-14 06:20 <DIR> d-------- C:\Program Files\AOL 9.0b
2007-10-09 17:27 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 15:20 --------- d-----w C:\Program Files\SymNetDrv
2007-11-03 15:20 --------- d-----w C:\Program Files\QuickTime
2007-11-03 15:20 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-03 15:20 --------- d-----w C:\Program Files\DellSupport
2007-11-03 15:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-03 15:20 --------- d-----w C:\Program Files\AOL 9.0a
2007-10-17 04:06 7,798 ----a-w C:\Documents and Settings\JOYCE BOWERS\Application Data\wklnhst.dat
2007-10-17 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 11:23 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\AOL
2007-10-14 11:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-14 11:21 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-14 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-14 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-10 11:19 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\AdobeUM
2007-09-26 01:03 --------- d-----w C:\Program Files\MySpace
2007-09-26 01:03 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\MySpace
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2007-04-18 06:49:00 C:\Program Files\AOL 9.0a\bak\AOL.EXE
----a-w 50,736 2007-04-18 06:49:00 C:\Program Files\AOL 9.0a\AOL.EXE

----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe
----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe

----a-w 50,688 2003-12-06 03:08:04 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 50,688 2003-12-06 03:08:04 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 180,269 2006-05-02 19:29:59 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2006-05-02 19:29:59 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

----a-w 71,280 2004-12-22 22:45:16 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 71,280 2004-12-22 22:45:16 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 124,096 2003-11-21 21:04:54 C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe
----a-w 124,096 2003-11-21 21:04:54 C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe

----a-w 135,264 2002-04-03 06:01:00 C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe
----a-w 135,264 2002-04-03 06:01:00 C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

----a-w 53,248 2004-04-11 16:43:44 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 53,248 2004-04-11 16:43:44 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

----a-w 290,816 2004-04-12 01:15:14 C:\Program Files\Dell\Media Experience\bak\PCMService.exe
----a-w 290,816 2004-04-12 01:15:14 C:\Program Files\Dell\Media Experience\PCMService.exe

----a-w 460,784 2007-03-15 16:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe
----a-w 460,784 2007-03-15 16:09:36 C:\Program Files\DellSupport\DSAgnt.exe

----a-w 68,856 2007-07-09 14:34:48 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
----a-w 68,856 2007-07-09 14:34:48 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

----a-w 53,248 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
----a-w 53,248 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

----a-w 131,072 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
----a-w 131,072 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

----a-w 5,562,368 2007-08-14 00:04:18 C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
----a-w 5,562,368 2007-08-14 00:04:18 C:\Program Files\MySpace\IM\MySpaceIM.exe

----a-w 70,800 2003-12-12 00:35:18 C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
----a-w 70,800 2003-12-12 00:35:18 C:\Program Files\Norton Internet Security\UrlLstCk.exe

----a-w 77,824 2004-09-30 13:05:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 77,824 2004-09-30 13:05:18 C:\Program Files\QuickTime\qttask.exe

----a-w 95,960 2005-12-30 16:46:46 C:\Program Files\SymNetDrv\bak\SNDMon.exe
----a-w 95,960 2005-12-30 16:46:46 C:\Program Files\SymNetDrv\SNDMon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3870377-35D7-444D-3CBC-077F2F91FB2D}]
C:\Program Files\Internet Explorer\lavuh119.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA7C5868-F711-422A-9110-44E3B6A1BE6D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB13E61C-6BD8-4CA6-AF48-8572DDBDD421}]
C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [2003-11-21 16:04]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 19:35]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-12-30 11:46]
"HostManager"="C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe" [2006-09-25 19:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.0.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JOYCE BOWERS^Start Menu^Programs^Startup^LimeWire On Startup.lnk.disabled]
path=C:\Documents and Settings\JOYCE BOWERS\Start Menu\Programs\Startup\LimeWire On Startup.lnk.disabled
backup=C:\WINDOWS\pss\LimeWire On Startup.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
C:\WINDOWS\system32\artchker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b460224e]
rundll32.exe "C:\WINDOWS\system32\kvwalldd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
C:\Program Files\Words\Words.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D2907D4E66914B5C1E9E689DB6FC45715EDF7B0F36BB40E2C2832213329D26033AAC
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 05:35:39 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2004-09-30 13:14:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 13:55:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 14:05:45 - machine was rebooted
.
--- E O F ---




Thank you here are my new logs:



Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sat 11/03/2007
The current time is: 13:37:39.03


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AOL9~1.0A\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

12/11/2003 07:35 PM 70,800 UrlLstCk.exe
1 File(s) 70,800 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/30/2004 08:05 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

12/30/2005 11:46 AM 95,960 SNDMon.exe
1 File(s) 95,960 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/22/2004 05:45 PM 71,280 ccApp.exe
11/21/2003 04:04 PM 124,096 cfgwiz.exe
2 File(s) 195,376 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/11/2004 11:43 AM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/09/2007 09:34 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

04/19/2004 02:45 PM 131,072 mm_tray.exe
04/19/2004 02:45 PM 53,248 mmtask.exe
2 File(s) 184,320 bytes

Directory of C:\PROGRA~1\MYSPACE\IM\BAK

08/13/2007 07:04 PM 5,562,368 MySpaceIM.exe
1 File(s) 5,562,368 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

12/05/2003 10:08 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/02/2006 02:29 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 01:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116153~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

45139 Aug 9 2003 "C:\Program Files\America Online 9.0\aol.exe"
50736 Jan 23 2007 "C:\Program Files\AOL 9.0\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0a\AOL.EXE"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0b\aol.exe"
50736 Apr 18 2007 "C:\Program Files\AOL 9.0a\bak\AOL.EXE"
460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
70800 Dec 11 2003 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
77824 Sep 30 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 30 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
95960 Dec 30 2005 "C:\Program Files\SymNetDrv\SNDMon.exe"
95960 Dec 30 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
124096 Nov 21 2003 "C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe"
124096 Nov 21 2003 "C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
52272 Mar 21 2007 "C:\Program Files\Google\googletoolbar1user.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 May 2 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Mar 21 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 May 2 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
5562368 Aug 13 2007 "C:\Program Files\MySpace\IM\MySpaceIM.exe"
5562368 Aug 13 2007 "C:\Program Files\MySpace\IM\bak\MySpaceIM.exe"
50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Dec 5 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
180269 May 2 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 May 2 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
50760 Sep 29 2006 "C:\Program Files\AOL\RC\EE\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe"


end of report

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 03 November 2007 - 08:16 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
  • Open a new notepad window (Start>All programs>accessories>notepad)
  • Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
    Folder::
    C:\Program Files\AOL 9.0a\bak
    C:\Program Files\Common Files\AOL\1161530847\ee\bak
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
    C:\Program Files\Common Files\Real\Update_OB\bak
    C:\Program Files\Common Files\Sonic\Update Manager\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\Creative\SBLive\Diagnostics\bak
    C:\Program Files\CyberLink\PowerDVD\bak
    C:\Program Files\Dell\Media Experience\bak
    C:\Program Files\DellSupport\bak
    C:\Program Files\Google\GoogleToolbarNotifier\bak
    C:\Program Files\HP\HP Software Update\bak
    C:\Program Files\HP\hpcoretech\bak
    C:\Program Files\Intel\Modem Event Monitor\bak
    C:\Program Files\Java\j2re1.4.2_03\bin\bak
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak
    C:\Program Files\MySpace\IM\bak
    C:\Program Files\Norton Internet Security\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\SymNetDrv\bak
    C:\VundoFix Backups
    C:\WINDOWS\SYSTEM32\pod2
    C:\WINDOWS\SYSTEM32\cap1
    C:\WINDOWS\SYSTEM32\bib1
    C:\WINDOWS\SYSTEM32\bco2
    C:\WINDOWS\Sk9ZQ0UgQk9XRVJT
    C:\Temp
    C:\PROGRA~1\MYWEBS~1
    C:\Program Files\Web Buying
    C:\Program Files\Words
    File::
    C:\WINDOWS\SYSTEM32\ohqbcboi.dll
    C:\WINDOWS\SYSTEM32\qsdsvbrl.dll
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3870377-35D7-444D-3CBC-077F2F91FB2D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA7C5868-F711-422A-9110-44E3B6A1BE6D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB13E61C-6BD8-4CA6-AF48-8572DDBDD421}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArtChk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b460224e]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Words]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "runner1"=-
  • Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
  • Save it to the desktop as CFscript.txt
  • Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
    Posted Image
  • When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.

#9 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 03 November 2007 - 09:28 PM

Hello.

Here are my new logs ..........i do have a question after the 2nd fix i was able to get online with the computer im working on slowly but i was able to connect.......i was finally able to get norton to start and i tried to update virus definition files but the supscription was up but it did do an update on some other components ........windows auto update ran and installed some updates ......after the updates i stayed online no problem until..... i restarted and since then i have been unable to connect to the web i keep getting page can not be displayed error i connected my laptop and was able to get online any ideas what may have caused this problem as well or can this be because the machine is starting to run correctly and has to be re-configured some how ???



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 11/03/2007
The current time is: 22:14:07.35


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

0 File(s) 0 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\AOL9~1.0A\BAK

04/18/2007 01:49 AM 50,736 AOL.EXE.vir
1 File(s) 50,736 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\DELLSU~1\BAK

03/15/2007 11:09 AM 460,784 DSAgnt.exe.vir
1 File(s) 460,784 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\NORTON~1\BAK

12/11/2003 07:35 PM 70,800 UrlLstCk.exe.vir
1 File(s) 70,800 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\QUICKT~1\BAK

09/30/2004 08:05 AM 77,824 qttask.exe.vir
1 File(s) 77,824 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\SYMNET~1\BAK

12/30/2005 11:46 AM 95,960 SNDMon.exe.vir
1 File(s) 95,960 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/22/2004 05:45 PM 71,280 ccApp.exe.vir
11/21/2003 04:04 PM 124,096 cfgwiz.exe.vir
2 File(s) 195,376 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/11/2004 11:43 AM 53,248 DVDLauncher.exe.vir
1 File(s) 53,248 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 08:15 PM 290,816 PCMService.exe.vir
1 File(s) 290,816 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/09/2007 09:34 AM 68,856 GoogleToolbarNotifier.exe.vir
1 File(s) 68,856 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe.vir
1 File(s) 241,664 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe.vir
1 File(s) 49,152 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe.vir
1 File(s) 221,184 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\MUSICM~1\MUSICM~1\BAK

04/19/2004 02:45 PM 131,072 mm_tray.exe.vir
04/19/2004 02:45 PM 53,248 mmtask.exe.vir
2 File(s) 184,320 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\MYSPACE\IM\BAK

08/13/2007 07:04 PM 5,562,368 MySpaceIM.exe.vir
1 File(s) 5,562,368 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

12/05/2003 10:08 PM 50,688 WkUFind.exe.vir
1 File(s) 50,688 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/02/2006 02:29 PM 180,269 realsched.exe.vir
1 File(s) 180,269 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe.vir
1 File(s) 110,592 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 01:01 AM 135,264 diagent.exe.vir
1 File(s) 135,264 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe.vir
1 File(s) 32,881 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\COMMON~1\AOL\116153~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe.vir
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

50736 Apr 18 2007 "C:\qoobox\Quarantine\C\Program Files\AOL 9.0a\bak\AOL.EXE.vir"
460784 Mar 15 2007 "C:\qoobox\Quarantine\C\Program Files\DellSupport\bak\DSAgnt.exe.vir"
70800 Dec 11 2003 "C:\qoobox\Quarantine\C\Program Files\Norton Internet Security\bak\UrlLstCk.exe.vir"
77824 Sep 30 2004 "C:\qoobox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir"
95960 Dec 30 2005 "C:\qoobox\Quarantine\C\Program Files\SymNetDrv\bak\SNDMon.exe.vir"
71280 Dec 22 2004 "C:\qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\bak\ccApp.exe.vir"
124096 Nov 21 2003 "C:\qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe.vir"
53248 Apr 11 2004 "C:\qoobox\Quarantine\C\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe.vir"
290816 Apr 11 2004 "C:\qoobox\Quarantine\C\Program Files\Dell\Media Experience\bak\PCMService.exe.vir"
68856 Jul 9 2007 "C:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe.vir"
241664 Jan 12 2005 "C:\qoobox\Quarantine\C\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe.vir"
49152 Feb 16 2005 "C:\qoobox\Quarantine\C\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe.vir"
221184 Sep 3 2003 "C:\qoobox\Quarantine\C\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe.vir"
53248 Apr 19 2004 "C:\qoobox\Quarantine\C\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe.vir"
131072 Apr 19 2004 "C:\qoobox\Quarantine\C\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe.vir"
5562368 Aug 13 2007 "C:\qoobox\Quarantine\C\Program Files\MySpace\IM\bak\MySpaceIM.exe.vir"
50688 Dec 5 2003 "C:\qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe.vir"
180269 May 2 2006 "C:\qoobox\Quarantine\C\Program Files\Common Files\Real\Update_OB\bak\realsched.exe.vir"
110592 Aug 19 2003 "C:\qoobox\Quarantine\C\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe.vir"
135264 Apr 3 2002 "C:\qoobox\Quarantine\C\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe.vir"
32881 Nov 19 2003 "C:\qoobox\Quarantine\C\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe.vir"
50736 Sep 25 2006 "C:\qoobox\Quarantine\C\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe.vir"


end of report





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:03 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7187 bytes




ComboFix 07-11-01.1 - JOYCE BOWERS 2007-11-03 21:59:06.2 - NTFSx86
Running from: C:\Documents and Settings\JOYCE BOWERS\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JOYCE BOWERS\Desktop\cfscript.txt.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\ohqbcboi.dll
C:\WINDOWS\SYSTEM32\qsdsvbrl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AOL 9.0a\bak
C:\Program Files\AOL 9.0a\bak\AOL.EXE
C:\Program Files\Common Files\AOL\1161530847\ee\bak
C:\Program Files\Common Files\AOL\1161530847\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\bak\cfgwiz.exe
C:\Program Files\Creative\SBLive\Diagnostics\bak
C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Dell\Media Experience\bak\PCMService.exe
C:\Program Files\DellSupport\bak
C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\Java\j2re1.4.2_03\bin\bak
C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
C:\Program Files\MySpace\IM\bak
C:\Program Files\MySpace\IM\bak\MySpaceIM.exe
C:\Program Files\Norton Internet Security\bak
C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\SymNetDrv\bak
C:\Program Files\SymNetDrv\bak\SNDMon.exe
C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\amsyopvc.dll.bad
C:\VundoFix Backups\cgpthcsx.dll.bad
C:\VundoFix Backups\hfbiltov.dll.bad
C:\VundoFix Backups\nnfepmqq.dll.bad
C:\VundoFix Backups\picaguxa.dll.bad
C:\VundoFix Backups\pkeydiod.dll.bad
C:\VundoFix Backups\seawjxxb.dll.bad
C:\WINDOWS\Sk9ZQ0UgQk9XRVJT
C:\WINDOWS\SYSTEM32\bco2
C:\WINDOWS\SYSTEM32\bib1
C:\WINDOWS\SYSTEM32\cap1
C:\WINDOWS\SYSTEM32\cap1\dode83122.exe
C:\WINDOWS\SYSTEM32\ohqbcboi.dll
C:\WINDOWS\SYSTEM32\pod2
C:\WINDOWS\SYSTEM32\qsdsvbrl.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 21:52 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-03 13:42 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 00:01 <DIR> d-------- C:\Documents and Settings\JOYCE BOWERS\Application Data\Grisoft
2007-10-31 00:00 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-10-29 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-29 00:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-29 00:43 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-28 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-28 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-28 21:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-28 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-28 18:58 <DIR> d-------- C:\Program Files\InterMute
2007-10-28 09:22 <DIR> d-------- C:\WINDOWS\pss
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-14 06:20 <DIR> d-------- C:\Program Files\AOL 9.0b
2007-10-09 17:27 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 03:04 --------- d-----w C:\Program Files\SymNetDrv
2007-11-04 03:04 --------- d-----w C:\Program Files\QuickTime
2007-11-04 03:04 --------- d-----w C:\Program Files\Norton Internet Security
2007-11-04 03:04 --------- d-----w C:\Program Files\DellSupport
2007-11-04 03:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-04 03:04 --------- d-----w C:\Program Files\AOL 9.0a
2007-11-04 02:54 --------- d-----w C:\Program Files\Java
2007-11-04 01:04 --------- d-----w C:\Program Files\Symantec
2007-10-17 04:06 7,798 ----a-w C:\Documents and Settings\JOYCE BOWERS\Application Data\wklnhst.dat
2007-10-17 01:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 11:23 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\AOL
2007-10-14 11:22 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-14 11:21 --------- d-----w C:\Program Files\Common Files\aolshare
2007-10-14 11:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-14 11:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-10 11:19 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\AdobeUM
2007-09-26 01:03 --------- d-----w C:\Program Files\MySpace
2007-09-26 01:03 --------- d-----w C:\Documents and Settings\JOYCE BOWERS\Application Data\MySpace
.

((((((((((((((((((((((((((((( snapshot@2007-11-03_13.59.00.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 15:26:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-11-03 19:22:31 77,824 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
- 2005-12-01 17:14:20 123,488 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
+ 2006-09-16 03:52:12 124,016 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2007-04-24 16:32:06 1,485,696 ------w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
- 2005-12-01 17:14:20 86,091 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
+ 2006-09-16 03:52:12 91,904 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
- 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
+ 2006-11-17 21:14:30 14,640 ------w C:\WINDOWS\SYSTEM32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3870377-35D7-444D-3CBC-077F2F91FB2D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA7C5868-F711-422A-9110-44E3B6A1BE6D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB13E61C-6BD8-4CA6-AF48-8572DDBDD421}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 17:45]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 19:35]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-12-30 11:46]
"HostManager"="C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe" [2006-09-25 19:52]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digimax Viewer 2.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digimax Viewer 2.0.lnk
backup=C:\WINDOWS\pss\Digimax Viewer 2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JOYCE BOWERS^Start Menu^Programs^Startup^LimeWire On Startup.lnk.disabled]
path=C:\Documents and Settings\JOYCE BOWERS\Start Menu\Programs\Startup\LimeWire On Startup.lnk.disabled
backup=C:\WINDOWS\pss\LimeWire On Startup.lnk.disabledStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 00:53:51 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-10-29 05:35:39 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-11-04 03:08:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 22:07:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-03 22:13:01 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-03 14:05
.
--- E O F ---

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 04 November 2007 - 07:03 AM

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myway.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis & a description of any remaining problems


#11 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 04 November 2007 - 05:13 PM

Hello,

I was able to get online with the computer i am working on again........i had to uninstall norton it was 5 years out of date i did install McAfee and updated virus signatures and it did find some viruses and deleted them ......while i was running the online scan as requested mcafee did find virus in C:/volumeinformation/restore and deleted both......it seems the more ahead we get i am still finding trojans and downloaders on this computer even after every step....

P.S TeaTimer is not active on SpyBot was not sure if you wanted me to restart it




Here are the new logs:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2636 (20071103)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=2b59a88e3c4ede48a80c9456442cf239
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-04 10:04:16
# local_time=2007-11-04 05:04:16 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=217371
# found=15
# scan_time=2530
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application F2B4532FECADA658C8FE26C90501C31D
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 1132560F7C65D7BCE6848E06E9125813
C:\qoobox\Quarantine\C\Documents and Settings\JOYCE BOWERS\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 741FC08BA7D318B8D8B0D7E971573EF3
C:\qoobox\Quarantine\C\Documents and Settings\JOYCE BOWERS\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 0505E12BD8A3E31FE6D38086EEC74AE4
C:\qoobox\Quarantine\C\Documents and Settings\JOYCE BOWERS\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 5C6DD11310D9F51A236346E48FB8AFC8
C:\qoobox\Quarantine\C\VundoFix Backups\amsyopvc.dll.bad.vir a variant of Win32/Adware.SecToolbar application 84FBEE871E3E036047002E7483651206
C:\qoobox\Quarantine\C\VundoFix Backups\hfbiltov.dll.bad.vir a variant of Win32/Adware.SecToolbar application 4E7B9E0E21A26D5293F4F437B3BB1496
C:\qoobox\Quarantine\C\VundoFix Backups\nnfepmqq.dll.bad.vir a variant of Win32/Adware.SecToolbar application 30011FEBA5E04D2CF15ACBCCE807D2F3
C:\qoobox\Quarantine\C\VundoFix Backups\seawjxxb.dll.bad.vir a variant of Win32/Adware.SecToolbar application 17183208FF4411B1310828E2C5D5F66D
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\WinNB58.dll.vir a variant of Win32/Adware.Mirar application 9A211CEF439DF26E12933C98B2F3708B
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1093\A0050376.lnk Win32/Adware.SecToolbar application 741FC08BA7D318B8D8B0D7E971573EF3
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1093\A0050377.lnk Win32/Adware.SecToolbar application 0505E12BD8A3E31FE6D38086EEC74AE4
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1093\A0050378.lnk Win32/Adware.SecToolbar application F2B4532FECADA658C8FE26C90501C31D
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1093\A0050379.lnk Win32/Adware.SecToolbar application 1132560F7C65D7BCE6848E06E9125813
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1093\A0050394.dll a variant of Win32/Adware.Mirar application 9A211CEF439DF26E12933C98B2F3708B


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:34 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE" /SU
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6708 bytes

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 04 November 2007 - 05:31 PM

You appear to be nearly clean

Teatimer can reenabled once you're fully clean

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

Then close all windows except HijackThis and click Fix Checked

Run AVG Anti-Spyware
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Post back with the AVG antispyware report and & a new HijackThis log & a description of any remaining problems

#13 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 04 November 2007 - 07:54 PM

Hello,

Here are my new logs i also posted one i made from bit-defenders online scan wich found some infected files thought it may help some not to sure...... is it possibe to delete any of the C:\qoobox\Quarantine folder or the whole thing itself and not cause any errors on the computer it does seem it finds these quarantined files ?
I will wait for your next instructions and when i get the all clear i will restart the tea timer as well as system restore.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:48:06 PM 11/4/2007

+ Scan result:



Nothing found.



::Report end



BITDEFENDERS ONLINE SCAN FINDINGS


C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cap1\dode83122.exe.vir=>(NSIS o)=>zlib_nsis0003
Detected with: Adware.TTC.B

C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cap1\dode83122.exe.vir=>(NSIS o)=>zlib_nsis0003
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cap1\dode83122.exe.vir=>(NSIS o)=>zlib_nsis0003
Deleted

C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cap1\dode83122.exe.vir=>(NSIS o)
Update failed

C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir=>(NSIS o)=>zlib_nsis0003
Detected with: Adware.TTC.B

C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir=>(NSIS o)=>zlib_nsis0003
Disinfection failed

C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir=>(NSIS o)=>zlib_nsis0003
Deleted

C:\qoobox\Quarantine\C\WINDOWS\TTC-4444.exe.vir=>(NSIS o)
Update failed





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:38 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\AOL\1161530847\ee\aolsoftware.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
c:\program files\common files\aol\1161530847\ee\AOLOpenRide.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\JOYCE BOWERS\Desktop\Henry\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161530847\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE" /SU
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6471 bytes

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 PM

Posted 05 November 2007 - 02:54 PM

C:\qoobox\ is the quarantine folder for combofix, you can delete it

You can delete combofix.exe and findawf.exe & also reenable teatimer

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
    • Turn System Restore off
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    Restart
    • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once, and not on a regular basis
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
    • Run Spybot Search & Destroy
    • Click on Mode, and then place a tick next to Advanced mode
    • Click Yes
    • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
    • Click on Add Spybot-S&D hosts list
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#15 looney2340

looney2340
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:07:41 AM

Posted 09 November 2007 - 04:16 PM

Thank you for all your help i was a HJT Trainee but i had started a second job and did not have as much time as i thought to keep up with the studies....i will ask to be added again when i do have more time. I did install spybot.......avg......and.......ad-aware i will keep them all updated to help protect the computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users