Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have "whataboutadog" ? Help Would Be Appreciated!


  • This topic is locked This topic is locked
19 replies to this topic

#1 shepdaddy

shepdaddy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 31 October 2007 - 01:27 AM

I'm a 'noob' to this - so please bare with me.

I believe I have the "whataboutadog" virus.

I currently run Trend-Micro PC-cillin, but it hasn't caught it yet?

Here is my hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:11 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.241.144.106:80
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BA2CB6B1-03EE-4068-87CC-F5E4DD772A9B} (CCAOControl Object) - https://promontory-cag2.atk.com/citrixlogon...t/CitrixCAO.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://ww2.olntv.com/images/masthead.jpg

--
End of file - 13613 bytes

Thanks for taking a look!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 31 October 2007 - 05:57 PM

Hello shepdaddy,

Not only do you have whataboutadog but you also have adoginhispen.


We will restore the default hosts file back onto your machine.

Go to: http://www.funkytoad.com/content/view/13/
Download the program HostsXpert to your computer.
Unzip HostsXpert to your desktop and execute it.
Select
"Restore MS Hosts File".
Close the program.


*******************************

Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 31 October 2007 - 06:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 31 October 2007 - 06:26 PM

I read some of the other posts and presumed you'd tell me to run FindAWF. Here it is, but I have not yet ran HostsXpert.

Do I need to run HostsXpert first, then FindAWF?

Othewise, here's the output from Option 1 of FindAWF:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/31/2007
The current time is: 14:05:29.81


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DVD43\BAK

05/22/2006 01:26 PM 694,272 dvd43_tray.exe
1 File(s) 694,272 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/31/2007 06:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes

Directory of C:\PROGRA~1\MI3AA1~1\BAK

09/01/2003 07:52 PM 376,912 WCESCOMM.EXE
1 File(s) 376,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/13/2004 09:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

06/02/2007 11:00 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\PANICW~1\POP-UP~1\BAK

10/29/2003 12:01 PM 524,288 PSFree.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~4\BAK

09/28/2005 11:07 PM 897,086 pccguide.exe
10/02/2007 10:06 PM 48 pccillin.ini
2 File(s) 897,134 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\DOCUME~1\CHLOE\APPLIC~1\GOOGLE\GOOGLE~3\BAK

01/01/2007 03:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes

Directory of C:\DOCUME~1\CHLOE\LOCALS~1\APPLIC~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 2 2007 "C:\Program Files\dvd43\dvd43_tray.exe"
694272 May 22 2006 "C:\Program Files\dvd43\bak\dvd43_tray.exe"
28172 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Aug 5 2007 "C:\WINDOWS\Installer\{E0219810-16E4-437D-9165-93D7B22524F9}\iTunesIco.exe"
116024 Aug 5 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe"
116024 Aug 5 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\892R0LIJ\iTunesSetupAdmin[1].exe"
28172 Oct 2 2007 "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
376912 Sep 1 2003 "C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
28172 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SoftwareDistribution.old\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\backup\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution.old\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\ctfmon.exe"
28172 Oct 2 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Jul 13 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
27660 Oct 5 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"
536576 Mar 17 2005 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
3429904 Apr 12 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccguide.exe"
3429904 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccguide.exe"
942142 Sep 22 2003 "C:\Program Files\Trend Micro\Internet Security Setup\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
823358 Sep 15 2004 "C:\Program Files\Trend Micro\PCC2005_1244\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
2391 Oct 31 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccillin.ini"
48 Oct 2 2007 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccillin.ini"
1235 Oct 6 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccillin.ini"
1485 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccillin.ini"
28172 Oct 2 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28172 Oct 2 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
27660 Oct 5 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"


end of report


I'll get HostsXpert and run as advised.

Thank You for your help!

#4 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 31 October 2007 - 09:10 PM

OK.. here is the FindAWF post HostXpert run:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/31/2007
The current time is: 17:30:55.14


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DVD43\BAK

05/22/2006 01:26 PM 694,272 dvd43_tray.exe
1 File(s) 694,272 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/31/2007 06:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes

Directory of C:\PROGRA~1\MI3AA1~1\BAK

09/01/2003 07:52 PM 376,912 WCESCOMM.EXE
1 File(s) 376,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/13/2004 09:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

06/02/2007 11:00 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\PANICW~1\POP-UP~1\BAK

10/29/2003 12:01 PM 524,288 PSFree.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~4\BAK

09/28/2005 11:07 PM 897,086 pccguide.exe
10/02/2007 10:06 PM 48 pccillin.ini
2 File(s) 897,134 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\DOCUME~1\CHLOE\APPLIC~1\GOOGLE\GOOGLE~3\BAK

01/01/2007 03:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes

Directory of C:\DOCUME~1\CHLOE\LOCALS~1\APPLIC~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 2 2007 "C:\Program Files\dvd43\dvd43_tray.exe"
694272 May 22 2006 "C:\Program Files\dvd43\bak\dvd43_tray.exe"
28172 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Aug 5 2007 "C:\WINDOWS\Installer\{E0219810-16E4-437D-9165-93D7B22524F9}\iTunesIco.exe"
116024 Aug 5 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe"
116024 Aug 5 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\892R0LIJ\iTunesSetupAdmin[1].exe"
28172 Oct 2 2007 "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
376912 Sep 1 2003 "C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
28172 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SoftwareDistribution.old\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\backup\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution.old\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\ctfmon.exe"
28172 Oct 2 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Jul 13 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
27660 Oct 5 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"
536576 Mar 17 2005 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
3429904 Apr 12 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccguide.exe"
3429904 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccguide.exe"
942142 Sep 22 2003 "C:\Program Files\Trend Micro\Internet Security Setup\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
823358 Sep 15 2004 "C:\Program Files\Trend Micro\PCC2005_1244\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
2391 Oct 31 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccillin.ini"
48 Oct 2 2007 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccillin.ini"
1235 Oct 6 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccillin.ini"
1485 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccillin.ini"
28172 Oct 2 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28172 Oct 2 2007 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
27660 Oct 5 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"


end of report

I have a feeling I'll be saying this a lot - but THANK YOU for helping!

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 31 October 2007 - 10:45 PM

Hi shepdaddy,

It looks like you have a nasty AWF infection and some other malware.
We will deal with the AWF infection first.


Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\dvd43\bak\dvd43_tray.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
"C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe"
"C:\Program Files\Trend Micro\Internet Security 2006\bak\pccillin.ini"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 01 November 2007 - 07:03 AM

SiFuMike -

I've done what you prescribed. Here is the output:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/31/2007
The current time is: 21:57:54.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DVD43\BAK

05/22/2006 01:26 PM 694,272 dvd43_tray.exe
1 File(s) 694,272 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

07/31/2007 06:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes

Directory of C:\PROGRA~1\MI3AA1~1\BAK

09/01/2003 07:52 PM 376,912 WCESCOMM.EXE
1 File(s) 376,912 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 01:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

07/13/2004 09:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\BAK

06/02/2007 11:00 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\PANICW~1\POP-UP~1\BAK

10/29/2003 12:01 PM 524,288 PSFree.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~4\BAK

09/28/2005 11:07 PM 897,086 pccguide.exe
10/02/2007 10:06 PM 48 pccillin.ini
2 File(s) 897,134 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\DOCUME~1\CHLOE\APPLIC~1\GOOGLE\GOOGLE~3\BAK

01/01/2007 03:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes

Directory of C:\DOCUME~1\CHLOE\LOCALS~1\APPLIC~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

694272 May 22 2006 "C:\Program Files\dvd43\dvd43_tray.exe"
694272 May 22 2006 "C:\Program Files\dvd43\bak\dvd43_tray.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Aug 5 2007 "C:\WINDOWS\Installer\{E0219810-16E4-437D-9165-93D7B22524F9}\iTunesIco.exe"
116024 Aug 5 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe"
116024 Aug 5 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\892R0LIJ\iTunesSetupAdmin[1].exe"
376912 Sep 1 2003 "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
376912 Sep 1 2003 "C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SoftwareDistribution.old\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\backup\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SoftwareDistribution.old\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\ctfmon.exe"
339968 Jul 13 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Jul 13 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
3429904 Apr 12 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccguide.exe"
897086 Sep 28 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccguide.exe"
3429904 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccguide.exe"
942142 Sep 22 2003 "C:\Program Files\Trend Micro\Internet Security Setup\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
823358 Sep 15 2004 "C:\Program Files\Trend Micro\PCC2005_1244\Setup\program files\Trend Micro\PC-cillin\pccguide.exe"
2391 Oct 31 2007 "C:\Program Files\Trend Micro\Internet Security 2007\pccillin.ini"
48 Oct 2 2007 "C:\Program Files\Trend Micro\Internet Security 2006\pccillin.ini"
48 Oct 2 2007 "C:\Program Files\Trend Micro\Internet Security 2006\bak\pccillin.ini"
1235 Oct 6 2005 "C:\Program Files\Trend Micro\PCC2006US_1400_1341\Setup\Module\pccillin.ini"
1485 Apr 12 2007 "C:\Documents and Settings\All Users\Documents\Downloads\PCCillin2007\TrendMicroPCCsmall\Module\pccillin.ini"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
69632 Jan 31 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
68856 Jun 2 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Mar 13 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Earth\googleearth.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Gray.THEXPS\Application Data\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak\googletalk.exe"


end of report

Again- THANK YOU!

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 01 November 2007 - 12:11 PM

Hi shepdaddy,

Any idea where you go whataboutadog from? :thumbsup:


Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\dvd43\bak
C:\Program Files\iTunes\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak
C:\Program Files\Trend Micro\Internet Security 2006\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Documents and Settings\Chloe\Application Data\Google\Google Talk\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 01 November 2007 - 08:16 PM

SifuMike -

I don't know when or how I got it!?! I'm sure it doesn't help matters that my PC is used by all of my family members. I doubt that anyone has opened Vanessa Hudgens pictures - but I couldn't catagorically rule it out.(?)

Anyway - here's the latest FindAWF run:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/01/2007
The current time is: 17:09:29.06


bak folders found
~~~~~~~~~~~


Directory of C:\DOCUME~1\CHLOE\LOCALS~1\APPLIC~1\SKYPE\PHONE\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


Your help is appreciated!

Thank You!

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 01 November 2007 - 10:49 PM

Hi shepdaddy,

We are almost done. :blink:


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Using Windows Explorer, delete the following BAK folder in bold
C:\Documents and Settings\CHLOE\Local Settings\Application Data \SKYPE\PHONE\BAK <==folder

Then run FindAWF with Option 1 and post the FindAWF log. Hopeully all the BAK folders will be gone. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 02 November 2007 - 01:05 AM

SifuMike -

Here it is:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 11/01/2007
The current time is: 22:07:22.21


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Clean! :thumbsup:

I'm looking forward to having this issue defeated!!!

Thank YOU!

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 02 November 2007 - 01:10 AM

Hi shepdaddy,

Run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones


When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


Now lets run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 02 November 2007 - 01:11 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 02 November 2007 - 03:03 AM

ComboFix:

ComboFix 07-11-01.1 - Jeffery 2007-11-02 1:03:55.1 - NTFSx86
Running from: C:\Documents and Settings\Jeffery\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-02 00:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 11:56 <DIR> d-------- C:\Documents and Settings\Jeffery\Application Data\Uniblue
2007-10-29 11:56 <DIR> d-------- C:\DOCUME~1\Jeffery\APPLIC~1\Uniblue
2007-10-25 18:08 109,568 --a------ C:\Documents and Settings\Joni\matrix.dll
2007-10-21 13:21 1,126,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vsapint.sys
2007-10-21 13:21 300,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TM_CFW.sys
2007-10-21 13:21 202,768 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmxpflt.sys
2007-10-21 13:21 112,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tm_mbd_c.sys
2007-10-21 13:21 75,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmtdi.sys
2007-10-21 13:21 35,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys
2007-10-21 13:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-10-09 16:40 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-05 18:31 74,752 --a------ C:\Documents and Settings\Gray.THEXPS\matrix.dll
2007-10-05 16:12 74,752 --a------ C:\Documents and Settings\Chloe\matrix.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 23:09 --------- d-----w C:\Program Files\QuickTime
2007-11-01 23:09 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-01 23:09 --------- d-----w C:\Program Files\iTunes
2007-11-01 23:09 --------- d-----w C:\Program Files\dvd43
2007-11-01 03:26 --------- d-----w C:\Program Files\Napster
2007-10-31 04:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-31 03:59 103,736 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2007-10-21 19:20 --------- d-----w C:\Program Files\Trend Micro
2007-10-14 21:13 --------- d-----w C:\Documents and Settings\Jeffery\Application Data\tunebite
2007-10-14 21:13 --------- d-----w C:\DOCUME~1\Jeffery\APPLIC~1\tunebite
2007-09-21 13:41 --------- d-----w C:\Documents and Settings\Jeffery\Application Data\Citrix
2007-09-21 13:41 --------- d-----w C:\DOCUME~1\Jeffery\APPLIC~1\Citrix
2007-09-16 03:23 4,954 ----a-w C:\WINDOWS\SYSTEM32\ealregsnapshot1.reg
2007-09-14 00:04 --------- d-----w C:\Program Files\MSN Messenger
2007-09-13 02:46 66,872 ----a-w C:\WINDOWS\SYSTEM32\PnkBstrA.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-03-10 20:14 3,394,221 ----a-w C:\Documents and Settings\Downloads\dvd-ripper.exe
2007-02-22 04:21 12,692,472 ----a-w C:\Documents and Settings\Downloads\ead-installer.exe
2006-05-15 04:40 1 ----a-w C:\Documents and Settings\Jeffery\SI.bin
2006-02-08 01:48 92,392 ----a-w C:\Documents and Settings\Chloe\Application Data\GDIPFONTCACHEV1.DAT
2005-12-05 01:49 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-05 01:48 162 ---ha-w C:\Documents and Settings\Jeffery\hpothb07.dat
2005-10-12 18:45 159 ---ha-w C:\Documents and Settings\Joni\hpothb07.dat
2005-08-21 04:00 595,478 ----a-w C:\Documents and Settings\Downloads\lame3.97a11.zip
2005-08-21 03:40 2,807,950 ----a-w C:\Documents and Settings\Downloads\tunebite.exe
2005-04-19 20:34 92,392 ----a-w C:\Documents and Settings\Joni\Application Data\GDIPFONTCACHEV1.DAT
2005-02-06 23:54 92,392 ----a-w C:\Documents and Settings\Jeffery\Application Data\GDIPFONTCACHEV1.DAT
2005-02-06 23:54 92,392 ----a-w C:\DOCUME~1\Jeffery\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-08-03 23:16 784 ----a-w C:\Documents and Settings\Jeffery\Application Data\mpauth.dat
2004-08-03 23:16 784 ----a-w C:\DOCUME~1\Jeffery\APPLIC~1\mpauth.dat
2004-07-03 05:21 20,630,968 ----a-w C:\Documents and Settings\Downloads\iTunesSetup.exe
2004-06-25 06:12 2,150,574 ----a-w C:\Documents and Settings\Downloads\adaware6181.exe
2004-05-08 05:24 174,668 ----a-w C:\Documents and Settings\Downloads\helsing_wall4_1024_768.zip
2004-05-02 18:48 2,980,606 ----a-w C:\Documents and Settings\Downloads\NissanMurano_PC_SSVR.zip
2004-03-10 05:54 521,044,461 ----a-w C:\Documents and Settings\Downloads\DemoFarCry.zip
2004-02-04 23:53 186,683,855 ----a-w C:\Documents and Settings\Downloads\3DMark03.exe
2004-02-04 21:34 8,500,746 ----a-w C:\Documents and Settings\Downloads\RangeStormerWMV.zip
2003-12-31 22:40 488,032 ----a-w C:\Documents and Settings\Downloads\PopUpStopperFree.exe
2003-12-31 22:36 33,088,810 ----a-w C:\Documents and Settings\Downloads\tis11sw1100.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 07:21]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-13 21:10]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe" [2007-04-12 04:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-09-01 19:52]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 12:01]

C:\Documents and Settings\Joni\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-06 14:42:22]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
C:\Program Files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
REGSVR32.EXE /S CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\ChkColor.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ColdFusion MX 7 Search Server"=2 (0x2)
"ColdFusion MX 7 ODBC Server"=2 (0x2)
"ColdFusion MX 7 ODBC Agent"=2 (0x2)
"ColdFusion MX 7 Application Server"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 AtlsAud;Dell Movie Studio Audio Device;C:\WINDOWS\system32\drivers\AtlsAud.sys
S3 efipsk;efipsk;\??\C:\DOCUME~1\Jeffery\LOCALS~1\Temp\efipsk.sys
S3 EMATCORE;Dell Movie Studio Video Device;C:\WINDOWS\system32\Drivers\AtlsVid.sys
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe"

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 01:26:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 1:33:16
.
--- E O F ---


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:05 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\All Users\Documents\Downloads\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.241.144.106:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-21-2659711287-3124023048-1630502987-1006\..\Run: [Sonic RecordNow!] (User 'Joni')
O4 - HKUS\S-1-5-21-2659711287-3124023048-1630502987-1006\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe" (User 'Joni')
O4 - HKUS\S-1-5-21-2659711287-3124023048-1630502987-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Joni')
O4 - HKUS\S-1-5-21-2659711287-3124023048-1630502987-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime (User 'Joni')
O4 - HKUS\S-1-5-21-2659711287-3124023048-1630502987-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Joni')
O4 - S-1-5-21-2659711287-3124023048-1630502987-1006 Startup: PowerReg Scheduler.exe (User 'Joni')
O4 - S-1-5-21-2659711287-3124023048-1630502987-1006 User Startup: PowerReg Scheduler.exe (User 'Joni')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BA2CB6B1-03EE-4068-87CC-F5E4DD772A9B} (CCAOControl Object) - https://promontory-cag2.atk.com/citrixlogon...t/CitrixCAO.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://ww2.olntv.com/images/masthead.jpg

--
End of file - 10643 bytes

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 02 November 2007 - 09:52 AM

Hi shepdaddy,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm:: /files/initial.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe


If you do not want this image on your desktop, then Fix it.
O24 - Desktop Component 0: (no name) - http://ww2.olntv.com/images/masthead.jpg

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
• Clean any others that you choose.

In the Applications Tab:
• Clean all including cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\DOCUME~1\Jeffery\LOCALS~1\Temp\efipsk.sys

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

Driver:: 
efipsk


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 shepdaddy

shepdaddy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 02 November 2007 - 07:34 PM

SifuMike -

Man I appreciate the effort you put into this! (And what a pain this has been!)

Here is the output from ComboFix. Note, however, that when it rebooted - my trendmicro was popping up warnings like crazy regarding dumphire.exe for a virus called Freeloader Smitraud. I presumed ComboFix was working away so all I did was close the warning windows. I hope I chose correctly.

Anway - here's the latest ComboFix output:

ComboFix 07-11-01.1 - Jeffery 2007-11-02 18:10:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.591 [GMT -6:00]
Running from: C:\Documents and Settings\Jeffery\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeffery\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\Jeffery\LOCALS~1\Temp\efipsk.sys
.

((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-02 17:48 <DIR> d-------- C:\Program Files\CCleaner
2007-11-02 17:20 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-02 00:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 11:56 <DIR> d-------- C:\Documents and Settings\Jeffery\Application Data\Uniblue
2007-10-29 11:56 <DIR> d-------- C:\DOCUME~1\Jeffery\APPLIC~1\Uniblue
2007-10-25 18:08 109,568 --a------ C:\Documents and Settings\Joni\matrix.dll
2007-10-21 13:21 1,126,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vsapint.sys
2007-10-21 13:21 300,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TM_CFW.sys
2007-10-21 13:21 202,768 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmxpflt.sys
2007-10-21 13:21 112,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tm_mbd_c.sys
2007-10-21 13:21 75,792 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmtdi.sys
2007-10-21 13:21 35,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys
2007-10-21 13:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-10-09 16:40 582,656 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-10-05 18:31 74,752 --a------ C:\Documents and Settings\Gray.THEXPS\matrix.dll
2007-10-05 16:12 74,752 --a------ C:\Documents and Settings\Chloe\matrix.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 23:20 --------- d-----w C:\Program Files\Java
2007-11-02 22:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-02 22:58 --------- d-----w C:\Program Files\Juice
2007-11-01 23:09 --------- d-----w C:\Program Files\QuickTime
2007-11-01 23:09 --------- d-----w C:\Program Files\iTunes
2007-11-01 23:09 --------- d-----w C:\Program Files\dvd43
2007-11-01 03:26 --------- d-----w C:\Program Files\Napster
2007-10-31 04:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-21 19:20 --------- d-----w C:\Program Files\Trend Micro
2007-10-14 21:13 --------- d-----w C:\Documents and Settings\Jeffery\Application Data\tunebite
2007-10-14 21:13 --------- d-----w C:\DOCUME~1\Jeffery\APPLIC~1\tunebite
2007-09-21 13:41 --------- d-----w C:\Documents and Settings\Jeffery\Application Data\Citrix
2007-09-21 13:41 --------- d-----w C:\DOCUME~1\Jeffery\APPLIC~1\Citrix
2007-09-14 00:04 --------- d-----w C:\Program Files\MSN Messenger
2007-03-10 20:14 3,394,221 ----a-w C:\Documents and Settings\Downloads\dvd-ripper.exe
2007-02-22 04:21 12,692,472 ----a-w C:\Documents and Settings\Downloads\ead-installer.exe
2006-05-15 04:40 1 ----a-w C:\Documents and Settings\Jeffery\SI.bin
2006-02-08 01:48 92,392 ----a-w C:\Documents and Settings\Chloe\Application Data\GDIPFONTCACHEV1.DAT
2005-12-05 01:49 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2005-12-05 01:48 162 ---ha-w C:\Documents and Settings\Jeffery\hpothb07.dat
2005-10-12 18:45 159 ---ha-w C:\Documents and Settings\Joni\hpothb07.dat
2005-08-21 04:00 595,478 ----a-w C:\Documents and Settings\Downloads\lame3.97a11.zip
2005-08-21 03:40 2,807,950 ----a-w C:\Documents and Settings\Downloads\tunebite.exe
2005-04-19 20:34 92,392 ----a-w C:\Documents and Settings\Joni\Application Data\GDIPFONTCACHEV1.DAT
2005-02-06 23:54 92,392 ----a-w C:\Documents and Settings\Jeffery\Application Data\GDIPFONTCACHEV1.DAT
2005-02-06 23:54 92,392 ----a-w C:\DOCUME~1\Jeffery\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-08-03 23:16 784 ----a-w C:\Documents and Settings\Jeffery\Application Data\mpauth.dat
2004-08-03 23:16 784 ----a-w C:\DOCUME~1\Jeffery\APPLIC~1\mpauth.dat
2004-07-03 05:21 20,630,968 ----a-w C:\Documents and Settings\Downloads\iTunesSetup.exe
2004-06-25 06:12 2,150,574 ----a-w C:\Documents and Settings\Downloads\adaware6181.exe
2004-05-08 05:24 174,668 ----a-w C:\Documents and Settings\Downloads\helsing_wall4_1024_768.zip
2004-05-02 18:48 2,980,606 ----a-w C:\Documents and Settings\Downloads\NissanMurano_PC_SSVR.zip
2004-03-10 05:54 521,044,461 ----a-w C:\Documents and Settings\Downloads\DemoFarCry.zip
2004-02-04 23:53 186,683,855 ----a-w C:\Documents and Settings\Downloads\3DMark03.exe
2004-02-04 21:34 8,500,746 ----a-w C:\Documents and Settings\Downloads\RangeStormerWMV.zip
2003-12-31 22:40 488,032 ----a-w C:\Documents and Settings\Downloads\PopUpStopperFree.exe
2003-12-31 22:36 33,088,810 ----a-w C:\Documents and Settings\Downloads\tis11sw1100.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_ 1.30.38.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 16:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-10-31 09:53:13 231,424 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
+ 2007-11-03 00:22:09 231,421 ----a-w C:\WINDOWS\SYSTEM32\INETSRV\MetaBase.bin
- 2005-11-10 18:27:06 49,248 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2005-11-10 18:27:16 49,250 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2005-11-10 20:03:54 127,078 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 07:21]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 02:04]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-13 21:10]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2006-05-22 13:26]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"pccguide.exe"="C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe" [2007-04-12 04:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Sonic RecordNow!"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 23:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-10-29 12:01]

C:\Documents and Settings\Joni\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2005-04-06 14:42:22]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 02:17:18]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
C:\Program Files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
REGSVR32.EXE /S CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
C:\Program Files\Creative\SBAudigy2\Program\Startup Menu\ChkColor.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ColdFusion MX 7 Search Server"=2 (0x2)
"ColdFusion MX 7 ODBC Server"=2 (0x2)
"ColdFusion MX 7 ODBC Agent"=2 (0x2)
"ColdFusion MX 7 Application Server"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 AtlsAud;Dell Movie Studio Audio Device;C:\WINDOWS\system32\drivers\AtlsAud.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 EMATCORE;Dell Movie Studio Video Device;C:\WINDOWS\system32\Drivers\AtlsVid.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe"

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 18:22:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 18:26:17 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 01:33
.
--- E O F ---


AND -

Here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:17 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\Downloads\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.241.144.106:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\IN2591~1\pccguide.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BA2CB6B1-03EE-4068-87CC-F5E4DD772A9B} (CCAOControl Object) - https://promontory-cag2.atk.com/citrixlogon...t/CitrixCAO.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\IN2591~1\tmproxy.exe

--
End of file - 9170 bytes

Sifu - YOU ROCK!

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:11 PM

Posted 02 November 2007 - 08:57 PM

Hi shepdaddy,

I presumed ComboFix was working away so all I did was close the warning windows. I hope I chose correctly.


Yes, you chose correctly. :thumbsup: I always say to close the antivirus program, as it sees ComboFix programs and goes bonkers.

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)


Reboot and post a fresh Hijackthis log for a final check.

Edited by SifuMike, 02 November 2007 - 08:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users