Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog And Doginhispen? Help Me!


  • This topic is locked This topic is locked
16 replies to this topic

#1 AtreyuTheSlayer

AtreyuTheSlayer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 29 October 2007 - 07:40 PM

So my computer hasn't really done anything different that I can tell, but b.whataboutadog and a.doginhispen have been coming up in my internet history for the last week or two. I've already gone through the prepartion guide (took forever!), so if someone could check this out and tell me if anythings wrong with it, that would ease my stress levels greatly. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:27 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [My Kazaa Gold] C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

--
End of file - 11552 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 30 October 2007 - 09:41 PM

Hello AtreyuTheSlayer,


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 01 November 2007 - 11:56 PM

Here you go.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 11/01/2007
The current time is: 23:50:38.09


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MYKAZA~2\BAK

10/30/2007 05:46 PM 0 My Kazaa Gold.conf
01/14/2007 11:48 PM 2,445,312 MyGoldKazaa.exe
2 File(s) 2,445,312 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/22/2005 09:45 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/29/2007 10:50 PM 180 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,916 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/12/2006 05:40 PM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 07:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 02:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SBCLIG~1\SMARTB~1\BAK

12/10/2003 05:52 AM 380,928 MotiveSB.exe
1 File(s) 380,928 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/21/2006 05:19 PM 129,536 ybrwicon.exe
1 File(s) 129,536 bytes

Directory of C:\PROGRA~1\YAHOO!\YOP\BAK

07/21/2006 11:43 AM 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

04/07/2004 12:07 PM 496,752 AOLDial.exe
1 File(s) 496,752 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

09/13/2003 10:36 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/09/2007 10:30 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 12:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 18 2007 "C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe"
2445312 Jan 14 2007 "C:\Program Files\My Kazaa Gold\bak\MyGoldKazaa.exe"
40960 Jan 31 2007 "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{21329DB6-ACC2-48AC-BE6E-BDDBCEB667D7}\MyGoldKazaa.exe_21329DB6ACC248ACBE6EBDDBCEB667D7.exe"
3754 Jun 4 2007 "C:\Program Files\My Kazaa Gold\My Kazaa Gold.conf"
0 Oct 30 2007 "C:\Program Files\My Kazaa Gold\bak\My Kazaa Gold.conf"
26636 Oct 18 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Jul 22 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
187 Oct 17 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
180 Oct 29 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
26636 Oct 18 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\bak\NeroCheck.exe"
26636 Oct 18 2007 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
582992 Aug 3 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
26636 Oct 18 2007 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe"
380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe"
380928 Nov 30 2006 "C:\Program Files\SBC LightSpeed Self Support Tool\tmp\bin\MotiveSB.exe"
26636 Oct 18 2007 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
129536 Jul 21 2006 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
26636 Oct 18 2007 "C:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\bak\yop.exe"
26636 Oct 18 2007 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
496752 Apr 7 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
26636 Oct 18 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
28672 Jul 24 2002 "C:\Program Files\Online Services\MSN80\MSN\pictureit\PIP\Common\MSShared\WkShared\WkUFind.exe"
26636 Oct 18 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Aug 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 18 2007 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"


end of report

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 02 November 2007 - 09:32 AM

Hi AtreyuTheSlayer,


Any idea where you go whataboutadog from? :thumbsup:

Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\My Kazaa Gold\bak\MyGoldKazaa.exe"
"C:\Program Files\My Kazaa Gold\bak\My Kazaa Gold.conf"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe"
"C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
"C:\Program Files\Yahoo!\YOP\bak\yop.exe"
"C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 02 November 2007 - 05:40 PM

Hi SifuMike. Sorry I've no idea where it came from, it just started popping up one day. Anyway here is the new log.




Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Fri 11/02/2007
The current time is: 17:23:43.50


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MYKAZA~2\BAK

10/30/2007 05:46 PM 0 My Kazaa Gold.conf
01/14/2007 11:48 PM 2,445,312 MyGoldKazaa.exe
2 File(s) 2,445,312 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/22/2005 09:45 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/29/2007 10:50 PM 180 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,916 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/12/2006 05:40 PM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 07:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

08/04/2007 02:33 AM 582,992 mcagent.exe
1 File(s) 582,992 bytes

Directory of C:\PROGRA~1\SBCLIG~1\SMARTB~1\BAK

12/10/2003 05:52 AM 380,928 MotiveSB.exe
1 File(s) 380,928 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/21/2006 05:19 PM 129,536 ybrwicon.exe
1 File(s) 129,536 bytes

Directory of C:\PROGRA~1\YAHOO!\YOP\BAK

07/21/2006 11:43 AM 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

04/07/2004 12:07 PM 496,752 AOLDial.exe
1 File(s) 496,752 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

09/13/2003 10:36 PM 50,688 WkUFind.exe
1 File(s) 50,688 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/09/2007 10:30 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

10/07/2002 12:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

2445312 Jan 14 2007 "C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe"
2445312 Jan 14 2007 "C:\Program Files\My Kazaa Gold\bak\MyGoldKazaa.exe"
40960 Jan 31 2007 "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{21329DB6-ACC2-48AC-BE6E-BDDBCEB667D7}\MyGoldKazaa.exe_21329DB6ACC248ACBE6EBDDBCEB667D7.exe"
0 Oct 30 2007 "C:\Program Files\My Kazaa Gold\My Kazaa Gold.conf"
0 Oct 30 2007 "C:\Program Files\My Kazaa Gold\bak\My Kazaa Gold.conf"
98304 Jul 22 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Jul 22 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
180 Oct 29 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
180 Oct 29 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\bak\NeroCheck.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
582992 Aug 4 2007 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe"
380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe"
380928 Nov 30 2006 "C:\Program Files\SBC LightSpeed Self Support Tool\tmp\bin\MotiveSB.exe"
129536 Jul 21 2006 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
129536 Jul 21 2006 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\bak\yop.exe"
496752 Apr 7 2004 "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
496752 Apr 7 2004 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
50688 Sep 13 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
28672 Jul 24 2002 "C:\Program Files\Online Services\MSN80\MSN\pictureit\PIP\Common\MSShared\WkShared\WkUFind.exe"
185632 Aug 9 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Aug 9 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
90112 Oct 7 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"


end of report

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 02 November 2007 - 06:01 PM

Hi AtreyuTheSlayer,

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\My Kazaa Gold\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak
C:\Program Files\Yahoo!\browser\bak
C:\Program Files\Yahoo!\YOP\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 02 November 2007 - 11:27 PM

Hey SifuMike,
Kinda curious, what exactly is the FindAWF program, and how do you make sense of the logs it gives. Speaking of logs, ta da! Here it is (as if you didn't already know).


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Fri 11/02/2007
The current time is: 23:20:29.03


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

07/22/2005 09:45 PM 98,304 qttask.exe
1 File(s) 98,304 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

98304 Jul 22 2005 "C:\Program Files\QuickTime\qttask.exe"
98304 Jul 22 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 02 November 2007 - 11:36 PM

Hi AtreyuTheSlayer,

The FindAWF did not work correctly, so we will have to delete the BAK folder manually.


Using Windows Explorer, delete the following BAK folder in bold
C:\Program Files\QuickTime\bak <== folder

Then run FindAWF with Option 1 and post the log.

Edited by SifuMike, 02 November 2007 - 11:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 02 November 2007 - 11:54 PM

Hey SifuMike!

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 11/02/2007
The current time is: 23:52:09.07


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 03 November 2007 - 12:19 AM

Hi AtreyuTheSlayer,

Now we run Option 4. :thumbsup:

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 03 November 2007 - 12:15 PM

Hey SifuMike,

Forgot to add this yesterday. When I had to delete that bak folder at first it wouldn't let me, I had to go through the Windows Task Manager and stop it from running in the Processes tab. Does that mean anything?


ComboFix 07-11-01.1 - Owner 2007-11-03 11:57:35.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 11:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-02 17:23 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-29 22:45 <DIR> d-------- C:\WINDOWS\InCD
2007-10-29 22:45 2,973,696 --------- C:\WINDOWS\UNMRW.exe
2007-10-29 22:45 2,973,696 --------- C:\WINDOWS\NuNinst.exe
2007-10-29 22:45 101,504 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2007-10-29 22:45 29,696 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2007-10-29 22:45 28,672 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2007-10-29 22:45 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2007-10-29 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-29 19:14 <DIR> d-------- C:\Program Files\Sygate
2007-10-29 19:14 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-10-29 19:14 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-10-29 19:14 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-10-29 19:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-10-29 19:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-10-29 19:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-10-29 19:14 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-10-28 19:49 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-28 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 22:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-27 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-27 22:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 22:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WholeSecurity
2007-10-26 21:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 04:50 --------- d-----w C:\Program Files\QuickTime
2007-11-03 04:41 --------- d-----w C:\Program Files\My Kazaa Gold
2007-10-30 03:45 --------- d-----w C:\Program Files\Ahead
2007-10-29 01:50 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-10-21 23:27 5,375 ---ha-w C:\hpothb07.dat
2007-10-21 13:19 --------- d-----w C:\Program Files\exPressit S.E. 2.1
2007-10-19 21:52 --------- d-----w C:\Program Files\McAfee
2007-10-14 02:17 --------- d-----w C:\Program Files\Yahoo! Games
2007-09-30 19:03 --------- d-----w C:\Program Files\Disney Interactive
2007-09-13 00:08 --------- d-----w C:\Program Files\3DGroove
2007-07-04 05:12 24,064 -csha-w C:\Program Files\Thumbs.db
2006-11-11 07:37 299 -c-ha-w C:\Program Files\hpothb07.dat
2006-11-11 07:36 844,542 -c--a-w C:\Program Files\auntb&ameliax.tif
2006-11-11 07:36 1,450 -c--a-w C:\Program Files\hpothb07.tif
2006-11-11 07:35 844,542 -c--a-w C:\Program Files\Scan0002.tif
2005-05-31 17:09 360 -c-ha-w C:\Documents and Settings\Owner\Application Data\hpothb07.dat
2005-04-25 00:10 0 -c-ha-w C:\Documents and Settings\Default User\hpothb07.dat
2005-04-25 00:09 169 -c-ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2005-04-25 00:09 167 -c-ha-w C:\Documents and Settings\LocalService\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094}]
C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 00:23]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 22:36]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 12:07]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" []
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 11:43]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 17:40]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 22:30]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 05:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"My Kazaa Gold"="C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe" [2007-01-14 23:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 06:21:36]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]
MiniMavis.lnk - C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe [2005-07-18 20:47:19]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2006-11-30 18:51:48]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 02:04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 05:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MsnFixer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MsnFixer.lnk
backup=C:\WINDOWS\pss\MsnFixer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCNT]
C:\PROGRA~1\AWS\WEATHE~1\BCNT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet /keeploaded /nodetect

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

R2 ACEDRV06;ACEDRV06;\??\C:\WINDOWS\system32\drivers\ACEDRV06.sys
S2 WinToolsSvc;WinTools for IE service;C:\Program Files\Common Files\WinTools\WToolsS.exe
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2003-10-17 06:07:33 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1057382127.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
"2007-10-15 06:35:40 C:\WINDOWS\Tasks\McDefragTask.job"
"2007-11-01 06:00:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 12:05:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-03 12:08:28
.
--- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:50 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\My Kazaa Gold\giFT\giFTl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [My Kazaa Gold] C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

--
End of file - 11752 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 03 November 2007 - 01:33 PM

Hi AtreyuTheSlayer,

You have two firewall running, McAfee Personal Firewall and
Sygate Personal Firewall.

Never run two antivirus programs or two firewalls, as it will cause errors and slow your computer.

You need uninstall one of the firewalls.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\Program Files\Common Files\WinTools\ <== folder
C:\WINDOWS\ALCXMNTR.EXE <==file


Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixServices.bat


@echo off
sc stop WinToolsSvc
sc delete WinToolsSvc
exit

Double click FixServices.bat.
A window will open and close. This is normal.



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot your computer, post a fresh Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 03 November 2007 - 08:33 PM

Hi SifuMike,


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:57 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\My Kazaa Gold\giFT\giFTl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [My Kazaa Gold] C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 10879 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:08 AM

Posted 03 November 2007 - 08:54 PM

Hi AtreyuTheSlayer,

I recommend you uninstall MyGoldKazaa - P2P programs are the likely source of many infections and are sources of illegal activity. :thumbsup:

But your log looks clean. :blink:

Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Delete FindAWF from your desktop.

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 03 November 2007 - 08:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 AtreyuTheSlayer

AtreyuTheSlayer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 03 November 2007 - 09:33 PM

Hi SifuMike,

Thanks for everything. :blink: :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users