Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog Virus Awf


  • This topic is locked This topic is locked
13 replies to this topic

#1 Daleboom

Daleboom

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 01 November 2007 - 09:37 PM

I have Trend Micro PC-cillin Internet Security 2007. I see I have the now popular "whataboutadog" virus and its related partners. In understand that I need to do something with AWF, but I am not smart enough to figure it out. I have done all of the purging, cleaning and prepping recommended.

Besides solving this virus is there any other junk or potential problems you see ???

Please Help ....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:42 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\REGSHAVE\REGSHAVE.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ClearPlay Easy Updates.lnk = C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: http://vpn.whsystems.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162438597812
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.whsystems.com/NELX.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11358 bytes

BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 01 November 2007 - 10:42 PM

Hello Daleboom and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1

Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Step #2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
In your next post please include the following reports:
  • FindAWF report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#3 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 02 November 2007 - 05:13 PM

Hi Snowhite, Thanks for your help ... the Step 1 search took more than a half an hour ... here is the AWF report.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 11/02/2007
The current time is: 17:01:41.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\QUICKEN\BAK

05/07/2007 02:17 PM 87,592 bagent.exe
1 File(s) 87,592 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 11:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
03/10/2004 04:26 PM 406,016 PSDrvCheck.exe
2 File(s) 421,376 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 05:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 02:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/12/2004 06:54 PM 57,344 DVDLauncher.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/17/2005 12:11 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELA~1\BAK

03/23/2004 02:16 PM 135,168 iaanotif.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 10:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~3\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 03:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

09/11/2006 04:56 AM 86,960 issch.exe
09/11/2006 04:56 AM 218,032 ISUSPM.exe
2 File(s) 304,992 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 03:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\SONICW~1\SSL-VPN\NETEXT~1\BAK

04/25/2007 05:31 PM 558,776 NEGui.exe
1 File(s) 558,776 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of C:\PROGRA~1\PINNACLE\SHARED~1\PROGRAMS\USBTIP\BAK

04/23/2004 11:00 AM 192,512 USBTip.exe
1 File(s) 192,512 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 10 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
28172 Oct 3 2007 "C:\Program Files\Quicken\bagent.exe"
87592 May 7 2007 "C:\Program Files\Quicken\bak\bagent.exe"
28172 Oct 3 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
28172 Oct 3 2007 "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
28172 Oct 3 2007 "C:\WINDOWS\SYSTEM32\PSDrvCheck.exe"
406016 Mar 10 2004 "C:\WINDOWS\SYSTEM32\bak\PSDrvCheck.exe"
1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\SMAX4PNP.EXE"
28172 Oct 3 2007 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
28172 Oct 3 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
28172 Oct 3 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
57344 Oct 12 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
28172 Oct 3 2007 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
321 Oct 3 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-1082620740.xml"
324 Oct 27 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1392857164.xml"
28172 Oct 3 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 17 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
28172 Oct 3 2007 "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
28172 Oct 3 2007 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
28172 Oct 3 2007 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
28172 Oct 3 2007 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
28172 Oct 3 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
28172 Oct 3 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
86960 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
28172 Oct 3 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
28172 Oct 3 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28172 Oct 3 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
32881 Feb 12 2007 "C:\Program Files\Britannica 7.0\Desktop Encyclopedia\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
28172 Oct 3 2007 "C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe"
558776 Apr 25 2007 "C:\Program Files\SonicWALL\SSL-VPN\NetExtender\bak\NEGui.exe"
61440 Oct 19 2006 "C:\Program Files\Adobe\Adobe Premiere Elements 3.0\APD\Photo Downloader\apdproxy.exe"
28172 Oct 3 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
28172 Oct 3 2007 "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
192512 Apr 23 2004 "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe"


end of report

Here is the main.txt report ...


Deckard's System Scanner v20071014.68
Run by Paul on 2007-11-02 17:55:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2007-11-02 21:55:36 UTC - RP807 - Deckard's System Scanner Restore Point
69: 2007-11-02 11:37:19 UTC - RP806 - System Checkpoint
68: 2007-10-31 22:24:38 UTC - RP805 - System Checkpoint
67: 2007-10-30 21:52:38 UTC - RP804 - System Checkpoint
66: 2007-10-29 16:45:27 UTC - RP803 - Installed InstallShield Restore Point


-- First Restore Point --
1: 2007-08-05 18:03:18 UTC - RP738 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Paul.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:40 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\bak\ISUSPM.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Paul.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ClearPlay Easy Updates.lnk = C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: http://vpn.whsystems.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162438597812
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.whsystems.com/NELX.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11262 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cmosa - c:\windows\system32\drivers\cmosa.sys <Not Verified; Dell Computer Corporation.; Dell® OpenManage Client Instrumentation>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 PCLEPCI - c:\windows\system32\drivers\pclepci.sys <Not Verified; Pinnacle Systems GmbH; PCLEPCI>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\80EA7163D100
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\80EA7163D100
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2007-10-31 23:50:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-10-26 18:30:00 350 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (MAIN-Carol).job
2007-09-21 20:13:00 356 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1109034692.job


-- Files created between 2007-10-02 and 2007-11-02 -----------------------------

2007-11-01 21:07:28 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-01 20:58:06 0 d-------- C:\Documents and Settings\Paul\Application Data\HouseCall 6.6
2007-11-01 20:22:26 0 d-------- C:\Documents and Settings\Paul\.housecall6.6
2007-10-29 09:02:17 0 d-------- C:\Documents and Settings\Paul\Application Data\Canon
2007-10-23 22:40:32 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-10-08 08:41:51 0 d-------- C:\Program Files\WinBudget
2007-10-03 22:45:08 0 d-------- C:\WINDOWS\system32\bak
2007-10-03 18:58:43 0 d-------- C:\Program Files\SonicWALL


-- Find3M Report ---------------------------------------------------------------

2007-11-01 22:24:50 0 d-------- C:\Program Files\Trend Micro
2007-11-01 21:29:02 0 d-------- C:\Program Files\iTunes
2007-11-01 21:27:50 0 d-------- C:\Program Files\FinePixViewer
2007-11-01 21:26:27 0 d-------- C:\Program Files\Google
2007-10-10 19:42:32 0 d-------- C:\Program Files\iPod
2007-10-06 15:17:46 0 d-------- C:\Program Files\Java
2007-10-04 06:53:33 0 d-------- C:\Program Files\Intel
2007-10-04 06:53:32 0 d-------- C:\Documents and Settings\Paul\Application Data\InstallShield
2007-10-03 22:53:20 0 d-------- C:\Program Files\REGSHAVE
2007-10-03 22:53:20 0 d-------- C:\Program Files\QuickTime
2007-10-03 22:53:19 0 d-------- C:\Program Files\Quicken
2007-10-03 22:50:42 28172 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2007-09-26 10:20:38 0 d-------- C:\Program Files\RM1Demo
2007-09-26 04:17:34 0 d-------- C:\Program Files\Apple Software Update
2007-09-24 12:43:52 17503 --a------ C:\WINDOWS\rosebb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/03/2007 10:50 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [10/03/2007 10:50 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/03/2007 10:50 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [10/03/2007 10:50 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [10/03/2007 10:50 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [10/03/2007 10:50 PM]
"DXDllRegExe"="dxdllreg.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [10/03/2007 10:50 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [10/03/2007 10:50 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [10/03/2007 10:50 PM]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [04/06/2004 07:05 PM]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [10/03/2007 10:50 PM]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [10/03/2007 10:50 PM]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [10/03/2007 10:50 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10/03/2007 10:50 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [01/23/2007 03:26 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [10/03/2007 10:50 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/03/2007 10:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/03/2007 10:50 PM]
"SonicWALLNetExtender"="C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [10/03/2007 10:50 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [10/03/2007 10:50 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [10/03/2007 10:50 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\bagent.exe" [10/03/2007 10:50 PM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe" [09/11/2006 04:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [10/11/2007 07:47 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Paul\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
ClearPlay Easy Updates.lnk - C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe [4/19/2007 4:28:46 PM]
DESKTOP.INI [8/10/2004 3:04:12 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [7/7/2003 2:20:40 AM]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{769c3b04-1c63-11dc-911d-001111c3f6f6}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea19d9a6-5256-11dc-9181-001111c3f6f6}]
AutoRun\command- H:\ClearPlayEasyUpdates.exe




-- End of Deckard's System Scanner: finished at 2007-11-02 17:59:21 ------------


Here is the extra.txt report ...


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1022.09 MiB / 380.77 MiB
Pagefile Memory (total/avail): 2460.78 MiB / 1861.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.13 MiB

C: is Fixed (NTFS) - 145.77 GiB total, 51.8 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 465.76 GiB total, 465.68 GiB free.
G: is Removable (No Media)
I: is Network (Unformatted)
S: is Network (Unformatted)
U: is Network (Unformatted)

\\.\PHYSICALDRIVE1 - SAMSUNG HD501LJ - 465.76 GiB - 1 partition
\PARTITION0 - Installable File System - 465.76 GiB - F:

\\.\PHYSICALDRIVE0 - ST3160023AS - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 70.57 MiB
\PARTITION1 (bootable) - Installable File System - 145.77 GiB - C:
\PARTITION2 - Unknown - 3.17 GiB

\\.\PHYSICALDRIVE2 - Canon MP500Storage USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Trend Micro PC-cillin Internet Security (Firewall) v15 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security 2007 v15.30.1151 (Trend Micro, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
COLLECTIONID=COL8143
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MAIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
ITEMID=dj-22741-15
LANG=1033
LOGONSERVER=\\MAIN
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONID=1110920389034htx694159df6c:102d441ff2c:-61ee
SESSIONNAME=Console
SWUTVER=1.0.18.20030625
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\Paul\LOCALS~1\Temp\radAC10E.tmp
USERDOMAIN=MAIN
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
VERSION=3.0.5.001
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Paul (admin)
Kids


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
"Doras Carnival Adventure (remove only)" --> "C:\Program Files\Doras Carnival Adventure\Uninstall.exe"
3D Home Architect Deluxe --> C:\WINDOWS\uninst.exe -fC:\3dhmedlx\DeIsL1.isu
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 2.1 --> MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Premiere Elements 3.0 Templates Tryout --> MsiExec.exe /I{6EACDDF4-4220-49A3-9204-984C86852C3D}
Adobe Premiere Elements 3.0 Tryout --> msiexec /I {530AFAFF-6F0A-48BB-88D0-04F9658322D3}
Adobe Premiere Elements 3.0 Tryout --> MsiExec.exe /I{530AFAFF-6F0A-48BB-88D0-04F9658322D3}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft Camera Suite 1.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Banctec Service Agreement --> MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
BibleWorks 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BibleWorks 4.0\Uninst.isu"
Blue's Reading Time Activities --> C:\WINDOWS\IsUninst.exe -f"C:\HEGames\Blue's Reading Time Activities\Uninst.isu"
BR - Frog and Hen --> C:\WINDOWS\unvise32.exe C:\Program Files\sz8076\uninstal.log
Brain Builder 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Advanced Brain Technologies\Brain Builder 3.0\Uninst.isu"
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2E086814-7392-4E0F-ADB8-54A81E47406C} /l1033
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{26BDE7D8-93F0-4A07-AD47-1707DB417941} /l1033
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B34BE30D-A759-4EC2-B58F-19FE2DEBF651}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}
Canon MP Navigator 2.0 --> "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.0\uninst.ini
Canon MP500 --> "C:\WINDOWS\system32\CanonMP Uninstaller Information\{BA4DF4C3-196E-4128-969A-00996B5A46F8}\DelDrv.exe" /U:{BA4DF4C3-196E-4128-969A-00996B5A46F8} /L0x0009
Canon PhotoRecord --> MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
ClearPlay Easy Updates --> MsiExec.exe /I{8CCD293C-0563-4EB0-BFAF-F279B61A6F32}
ClickArt 250,000 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{60C3EE8A-5E27-4CBA-8BA6-C27E6E3C5087}\setup.exe" -l0x9 anything
Creative Memories StoryBook Creator --> MsiExec.exe /I{431C29DE-AC4A-4D0F-B8D2-0D94BE9EEAFE}
Curious George Reading and Phonics --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\CGLearnUn.exe
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Media Experience Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CDE4CC8B-134B-421E-943C-90799E56F664}\setup.exe" -l0x9 -L0x9 /SMAINT
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Desktop Encyclopedia --> "C:\Program Files\Britannica 7.0\Desktop Encyclopedia\UninstallerData\Uninstall Desktop Encyclopedia.exe"
Dreamship Tales --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Dreamship Tales\Uninstall.xml"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Eusing Free Registry Cleaner --> C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Family Tree Maker --> C:\FTW\uninstal.exe
Fidelity Active Trader Pro® --> MsiExec.exe /X{916007E7-1A1D-4278-BCC9-E90EFF35B232}
FinePixViewer Ver.3.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{24ED4D80-8294-11D5-96CD-0040266301AD} /l1033
FLEXnet Connect SDK --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F1E9E57-DD22-11D5-8B43-00105A9846E9}\setup.exe" -l0x9 -removeonly
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Greeting Card Factory --> MsiExec.exe /X{711306A1-00FE-47B3-935A-B02A86B3476A}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HouseCall 6.6 --> "C:\Documents and Settings\Paul\Application Data\HouseCall 6.6\uninstaller.exe"
HP Photo & Imaging 3.1 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.0 --> "C:\Program Files\HP\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
ImageMixer VCD for FinePix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3AA158A-9421-4883-8767-E771B0964A1D}\setup.exe"
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Jasc Paint Shop Pro Studio Additional Content --> C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Jasc Paint Shop Pro Studio.01 - (1.0.1.1) --> C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JumpStart Advanced Kindergarten --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\UNKinder2002.exe
L&H TTS3000 Espańol --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSSPE.inf, Uninstall
LabelCreator Pro --> MsiExec.exe /X{9E9AEBE7-58A9-11D8-80AE-00036D10F3B7}
Learn to Read with Phonics 1st and 2nd Grade --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Learn to Read with Phonics 1st and 2nd Grade\Uninstall.xml"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Little Bear Rainy Day Activities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative Wonders\Little Bear Rainy Day Activities\Uninst.isu"
Maisy's Playhouse --> C:\Maisy1\UNWISE.EXE /A C:\Maisy1\INSTALL.LOG
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTS.inf, Uninstall
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
My Way Search Assistant --> rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NetZero For Riverdeep --> MsiExec.exe /X{86C1A488-24AD-42F0-BCEF-FDB11FC2BEFA}
OmniPage SE 2.0 --> MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Paint Shop Pro 4 Shareware --> C:\PROGRA~1\PAINTS~1\UNWISE.EXE C:\PROGRA~1\PAINTS~1\INSTALL.LOG
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Photo Story 3 for Windows --> MsiExec.exe /I{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}
Pinnacle Hollywood FX for Studio --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX for Studio\5.5\uninstal.log
Pinnacle Instant DVD Recorder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}\Setup.exe" -l0x9 UNINSTALL
PowerDVD 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Reader Rabbit's Math Ages 6-9 --> C:\WINDOWS\IsUninst.exe -fC:\Tlcwin\Math6-9\Uninst\DeIsL1.isu
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Scrapbook Factory Deluxe --> MsiExec.exe /X{225DA7CB-C773-4F68-8068-184C4082C2F1}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SonicWALL SSL-VPN NetExtender --> C:\Program Files\SonicWALL\SSL-VPN\NetExtender\uninst.exe
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Strawberry Shortcake - Amazing Cookie Party --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Strawberry Shortcake - Amazing Cookie Party\Uninstall.xml"
SwordSearcher 4.7 Evaluation Version --> "C:\Program Files\SwordSearcher 4\unins000.exe"
The Game Of Life --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life\_ISREG32.DLL"
Trend Micro PC-cillin Internet Security 2007 --> C:\PROGRA~1\TRENDM~1\INTERN~3\remove.exe
Trend Micro PC-cillin Internet Security 2007 --> MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Where in the World Is Carmen Sandiego? Treasures of Knowledge --> C:\Program Files\The Learning Company\Where in the World Is Carmen Sandiego\Treasures of Knowledge\uninstall.exe
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type222104 / Warning
Event Submitted/Written: 11/02/2007 05:57:45 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}', feature 'PaintShopProStudio' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type222103 / Warning
Event Submitted/Written: 11/02/2007 05:57:45 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}', feature 'PaintShopProStudio', component '{9756BC4D-C647-4986-915E-0127D0A9A7AB}' failed. The resource 'HKEY_CURRENT_USER\Software\Jasc\Paint Shop Pro Studio 1\Installer\CacheFolder' does not exist.

Event Record #/Type222102 / Warning
Event Submitted/Written: 11/02/2007 05:57:45 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}', feature 'PaintShopProStudio' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type222101 / Warning
Event Submitted/Written: 11/02/2007 05:57:45 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}', feature 'PaintShopProStudio', component '{9756BC4D-C647-4986-915E-0127D0A9A7AB}' failed. The resource 'HKEY_CURRENT_USER\Software\Jasc\Paint Shop Pro Studio 1\Installer\CacheFolder' does not exist.

Event Record #/Type222100 / Warning
Event Submitted/Written: 11/02/2007 05:57:44 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}', feature 'PaintShopProStudio' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15738 / Error
Event Submitted/Written: 11/02/2007 04:50:37 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} did not register with DCOM within the required timeout.

Event Record #/Type15737 / Error
Event Submitted/Written: 11/02/2007 04:50:06 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} did not register with DCOM within the required timeout.

Event Record #/Type15736 / Error
Event Submitted/Written: 11/02/2007 04:49:36 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} did not register with DCOM within the required timeout.

Event Record #/Type15735 / Error
Event Submitted/Written: 11/02/2007 04:45:38 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} did not register with DCOM within the required timeout.

Event Record #/Type15734 / Error
Event Submitted/Written: 11/02/2007 04:45:08 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {FBA44040-BD27-4A09-ACC8-C08B7C723DCD} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2007-11-02 17:59:21 ------------


Looking forward to your reply ... and next steps. Thanks.

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 03 November 2007 - 01:40 AM

Hello Daleboom,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1


You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\Quicken\bak\bagent.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\WINDOWS\SYSTEM32\bak\PSDrvCheck.exe"
"C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\SonicWALL\SSL-VPN\NetExtender\bak\NEGui.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Step #2

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

My Way Search Assistant


Older Java versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please uninstall older version Java versions:

J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1


Please note any other programs that you don't recognize in that list in your next response

Step #3

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

In your next post please include the following reports:
  • FindAWF report
  • AVG Anti-Spyware report
  • New HijackThis log (run after AVG Anti-Spyware has finished its work.)
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#5 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 03 November 2007 - 12:48 PM

Snowhite, I did all as you said.

FYI - When I run the AWF routine (step 2) it took almost an hour, and I have a relatively new computer ... is that normal or a sign of something else.




Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 11/03/2007
The current time is: 7:58:27.07


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\QUICKEN\BAK

05/07/2007 02:17 PM 87,592 bagent.exe
1 File(s) 87,592 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 11:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
03/10/2004 04:26 PM 406,016 PSDrvCheck.exe
2 File(s) 421,376 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 05:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 02:52 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/12/2004 06:54 PM 57,344 DVDLauncher.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/17/2005 12:11 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\INTELA~1\BAK

03/23/2004 02:16 PM 135,168 iaanotif.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 10:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

05/08/2003 11:00 AM 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~3\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 03:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

09/11/2006 04:56 AM 86,960 issch.exe
09/11/2006 04:56 AM 218,032 ISUSPM.exe
2 File(s) 304,992 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 03:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\SONICW~1\SSL-VPN\NETEXT~1\BAK

04/25/2007 05:31 PM 558,776 NEGui.exe
1 File(s) 558,776 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of C:\PROGRA~1\PINNACLE\SHARED~1\PROGRAMS\USBTIP\BAK

04/23/2004 11:00 AM 192,512 USBTip.exe
1 File(s) 192,512 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 10 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 10 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
87592 May 7 2007 "C:\Program Files\Quicken\bagent.exe"
87592 May 7 2007 "C:\Program Files\Quicken\bak\bagent.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
406016 Mar 10 2004 "C:\WINDOWS\SYSTEM32\PSDrvCheck.exe"
406016 Mar 10 2004 "C:\WINDOWS\SYSTEM32\bak\PSDrvCheck.exe"
1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\SMAX4PNP.EXE"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
57344 Oct 12 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
57344 Oct 12 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
321 Oct 3 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-1082620740.xml"
324 Oct 27 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1392857164.xml"
49152 Feb 17 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 17 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
135168 Mar 23 2004 "C:\Program Files\Intel\Intel Application Accelerator\bak\iaanotif.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
86960 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
86960 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
32881 Feb 12 2007 "C:\Program Files\Britannica 7.0\Desktop Encyclopedia\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
558776 Apr 25 2007 "C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe"
558776 Apr 25 2007 "C:\Program Files\SonicWALL\SSL-VPN\NetExtender\bak\NEGui.exe"
61440 Oct 19 2006 "C:\Program Files\Adobe\Adobe Premiere Elements 3.0\APD\Photo Downloader\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
192512 Apr 23 2004 "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
192512 Apr 23 2004 "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe"


end of report


I removed all of the old Java programs. When I went to remove My Way Search Assistant I got and error loading as the specified file could not be found.



Then I loaded and ran the AVG Anti-Spyware. It only found one Adaware Generic 11/03/07 (today’s date) thing that got quarantineed. However, I couldn't get it to print a report. The icon didn't light up, I am quite sure I followed the instructions correctly. Then I ran a scan again and it found nothing.

Here are two screen shots ... it is not letting me instert them. I will attach a file.


Here is the HJT file.

Thanks till next time.[/b]


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:23 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ClearPlay Easy Updates.lnk = C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: http://vpn.whsystems.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162438597812
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.whsystems.com/NELX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 12039 bytes

Attached Files



#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 03 November 2007 - 08:21 PM

Hello Daleboom,

FYI - When I run the AWF routine (step 2) it took almost an hour, and I have a relatively new computer ... is that normal or a sign of something else.


It shouldn't last very long, it is probably because of a lot of running processes. We are going to do more research, as for AVG Anti-Spyware i am sure you did followed the instructions right, it just sometimes doesn't let you to save reports and so far i haven't figure out why is that.

Please follow the steps below exactly in the order they are written:

Step #1

Copy the paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

C:\Program Files\iTunes\bak
C:\Program Files\Quicken\bak
C:\Program Files\QuickTime\bak
C:\Program Files\REGSHAVE\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Intel\Intel Application Accelerator\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 3, then press Enter.
Press any key to continue.
A Notepad document folders.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below the line and paste the list of paths that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Step #2

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


In your next post please include the following reports:
  • FindAWF report
  • ComboFix report
  • New HijackThis log (run after ComboFix has finished its work.)
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#7 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 05 November 2007 - 06:25 AM

HI SNOWHITE: HERE IS THE AWF REPORT


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sat 11/03/2007
The current time is: 21:36:12.18


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~3\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

321 Nov 3 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-1082620740.xml"
324 Oct 27 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-1392857164.xml"


end of report




HERE IS THE COMBO FIX REPORT

ComboFix 07-11-01.1 - Paul 2007-11-03 22:29:14.1 - NTFSx86
Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191847312.old
C:\Program Files\WinBudget\bin\matrix.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-03 21:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 09:40 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Grisoft
2007-11-03 09:40 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\Grisoft
2007-11-03 09:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-11-03 09:40 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-03 07:58 406,016 --a------ C:\WINDOWS\SYSTEM32\PSDrvCheck.exe
2007-11-02 17:55 <DIR> d-------- C:\Deckard
2007-11-01 21:07 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-11-01 20:58 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\HouseCall 6.6
2007-11-01 20:58 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\HouseCall 6.6
2007-11-01 20:22 <DIR> d-------- C:\Documents and Settings\Paul\.housecall6.6
2007-10-29 09:02 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Canon
2007-10-29 09:02 <DIR> d-------- C:\DOCUME~1\Paul\APPLIC~1\Canon
2007-10-23 22:40 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 01:36 --------- d-----w C:\Program Files\REGSHAVE
2007-11-04 01:36 --------- d-----w C:\Program Files\QuickTime
2007-11-04 01:36 --------- d-----w C:\Program Files\Quicken
2007-11-04 01:36 --------- d-----w C:\Program Files\iTunes
2007-11-03 13:26 --------- d-----w C:\Program Files\Java
2007-11-02 02:24 --------- d-----w C:\Program Files\Trend Micro
2007-11-02 01:27 --------- d-----w C:\Program Files\FinePixViewer
2007-11-02 01:26 --------- d-----w C:\Program Files\Google
2007-11-02 00:22 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-10 23:42 --------- d-----w C:\Program Files\iPod
2007-10-04 10:53 --------- d-----w C:\Program Files\Intel
2007-10-04 10:53 --------- d-----w C:\Documents and Settings\Paul\Application Data\InstallShield
2007-10-04 10:53 --------- d-----w C:\DOCUME~1\Paul\APPLIC~1\InstallShield
2007-10-03 22:58 --------- d-----w C:\Program Files\SonicWALL
2007-09-26 14:20 --------- d-----w C:\Program Files\RM1Demo
2007-09-26 08:17 --------- d-----w C:\Program Files\Apple Software Update
2007-09-17 18:40 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-17 18:40 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-17 18:31 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2005-04-22 20:27 569,457 ----a-w C:\Documents and Settings\Paul\Application Data\Pablo.zip
2005-04-22 20:27 569,457 ----a-w C:\DOCUME~1\Paul\APPLIC~1\Pablo.zip
2005-02-22 02:22 487,424 ----a-w C:\Documents and Settings\Paul\chatlnk.exe
2002-07-26 21:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 14:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 14:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 18:54]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"DXDllRegExe"="dxdllreg.exe" []
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:56]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2004-04-06 19:05]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2004-04-23 11:00]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:56]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 15:26]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"SonicWALLNetExtender"="C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-04-25 17:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 03:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"QuickenScheduledUpdates"="C:\Program Files\Quicken\bagent.exe" [2007-05-07 14:17]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-11 19:47]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 02:20:40]

R1 cmosa;cmosa;C:\WINDOWS\system32\drivers\cmosa.sys
R3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{769c3b04-1c63-11dc-911d-001111c3f6f6}]

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{769c3b04-1c63-11dc-911d-001111c3f6f6}\Shell\AutoRun\command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea19d9a6-5256-11dc-9181-001111c3f6f6}]
\Shell\AutoRun\command - H:\ClearPlayEasyUpdates.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 22:48:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 22:58:42 - machine was rebooted
.
--- E O F ---



HERE IS THE HJT REPORT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:31 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ClearPlay Easy Updates.lnk = C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: http://vpn.whsystems.com
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162438597812
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.whsystems.com/NELX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11675 bytes


NOT THAT I KNOW WHAT I AM LOOKING AT YET … I SEE THE HJT ENTRY ABOVE THAT I HAVE PASTED BELOW. I WONDER WHAT THIS IS …

O15 - Trusted Zone: *.doginhispen.com


Thanks for all of your help so far. The “whataboutadog” warning has stopped coming up. Prior to running COMBOFIX everything was running faster and nicer. After COMBOFIX things became very, very slow on start up, opening windows, etc.


#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 06 November 2007 - 07:08 AM

Hello Daleboom,


Step #1

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Trend Micro\Internet Security 2007\bak <-- this folder
C:\Program Files\HP\hpcoretech\bak <-- this folder

Close Windows Explorer.


Step #2

O15 - Trusted Zone: *.doginhispen.com


It is entry that the infection you had put in your trusted zone, same as whataboutadog.com. It should go away with the next instructions:

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Press 4, then press Enter.
Press 1 then Enter to continue.
When done, you will receive similar message like this:Done! Zones have been reset
Press E then Enter to exit.

Step #3

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.

Thanks for all of your help so far. The “whataboutadog” warning has stopped coming up. Prior to running COMBOFIX everything was running faster and nicer. After COMBOFIX things became very, very slow on start up, opening windows, etc.


You are welcome. I don't think that combofix made your computer to slow down, lets first check if there are still bad files in your computer and we will see what can we do about the problem with slowness. Post back with new new HijackThis report and Kaspersky report.

Regards,
SNOWHITE
Posted Image

#9 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 07 November 2007 - 08:28 PM

HI AGAIN:

HERE IS THE KASPERSKY REPORT


It looks like the virus that showed up is: Trojan.Win32.Agent.bxj


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 07, 2007 7:59:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 453611
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 126155
Number of viruses found: 1
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:40:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Application Data\ClearPlay Inc\ClearPlay Easy Updates\1.0.1.4\cache Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Intuit\Quicken\Log\qw.log Object is locked skipped
C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\ApplicationHistory\ClearPlayEasyUpdates.exe.9ede29b.ini.inuse Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NetExtender.dbg Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP787\A0169742.rbf Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP799\A0173786.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174520.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174521.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174522.EXE Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174523.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174524.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174525.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174526.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174527.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174528.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174529.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174530.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174531.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174532.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174533.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174534.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174535.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174536.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174537.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174538.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174539.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP807\A0174540.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP815\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EFDC3D50-41CA-4CE0-93A8-C2F53DA13EA0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\7z4jlvbp.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



AND HERE IS THE HJT REPORT



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:53 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accuweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\bagent.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ClearPlay Easy Updates.lnk = C:\Program Files\ClearPlay\ClearPlay Easy Updates\ClearPlayEasyUpdates.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162438597812
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.whsystems.com/NELX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

--
End of file - 11787 bytes


THINGS WERE VERY SLOW TO START UP AGAIN WHEN I REBOOTED THE COMPUTER.

ON ANOTHER SUBJECT. A WEEK BEFORE YOU STARTED HELPING ME I DOWNLOADED AND RAN “EUSING FREE REGISTRY CLEANER” IS THIS OK TO USE, OR SHOULD I STAY AWAY FROM THIS.

THANKS AGAIN.


#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 09 November 2007 - 12:18 AM

Hello Daleboom,

Your reports are looking good, except the infected system restore for which you will find instructions how to clean it below.

ON ANOTHER SUBJECT. A WEEK BEFORE YOU STARTED HELPING ME I DOWNLOADED AND RAN “EUSING FREE REGISTRY CLEANER” IS THIS OK TO USE, OR SHOULD I STAY AWAY FROM THIS.


I never used that program, and from what i read about it, some people like it some they classified it as rouge program, see this link for more info --> http://www.malwarebytes.org/forums/index.php?showtopic=945
I personally use CCleaner and never had any problems with it.

The next entries you can fix them with HijackThis, they are legit but not required to run and you can start them manually if you need them:

Re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
This is legit program, but the file needed for working is missing so its either not working correctly or not working at all.If you use this program you will need to reinstall it.

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Checks the internet for updated drivers/utilities for your HP product - update manually.

O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HP software updates. If a shortcut doesn't exist, create your own and run it manually

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
InstallShield Update Service related; Automatically searches for and performs any updates to the software. Not required.

O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController"
Related to Pinnacle_Systems Inc. CoInstaller. You can Execute the USB2.0 interface check program (Usb2Check.exe file) to check if your system is USB2.0 enabled system

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
Available via Start -> Programs

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
InstallShield Update Service Scheduler; automatically searches for and performs any updates to the software so you’re always working with the most current version. Not required.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Also not required.

O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
InstallShield Update Service related; Automatically searches for and performs any updates to the software. Not required.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

If you are still experiencing slow start up problem, follow this link --> Help! My computer is slow!

I will keep your thread open for a couple of days, if the malware problem reappear feel free to post here.

Should you have any questions, please feel free to ask. ;)

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
Next, double click OTMoveIt and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt tries to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes.

NOTE: This will remove some of the tools we used so far, including OTMoveIt.


  • Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.

  • Clean your Cache and Cookies in IE:
    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK
  • Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
  • Clean other Temporary files + Recycle bin
    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
  • Untick - Show hidden files and folder
  • Tick - Hide file extensions for known types
  • Tick - Hide protected operating system files
Click Yes to confirm & then click OK
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :thumbsup:

Please respond to this thread once more so we can mark this thread as resolved.



Best regards,

Edited by SNOWHITE, 09 November 2007 - 12:20 AM.

SNOWHITE
Posted Image

#11 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 12 November 2007 - 06:20 AM

Snowhite,

Thanks so much. You have been most helpful. You certainly helped me clean my virus/worm and have helped me clean lots of other things up.

I have already recommended Bleeping Computer to others.

My final observation is that my computer is running much slower, especially for the first 10 minutes after start up. Are perhaps other programs running in the background or is the computer looking for something?

I also have the Trend Micro firewall and the Windows firewall on, should I turn the Windows one off?

Any final comments you have would be helpful.

Thanks again.


#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 16 November 2007 - 02:45 PM

Hi Daleboom, sorry for the delay.

I also have the Trend Micro firewall and the Windows firewall on, should I turn the Windows one off?


If Windows firewall is enabled, you should disable it, cause it might cause some conflicts if both of the firewalls are running at a time.

Have you checked this site --> http://users.telenet.be/bluepatchy/miekiem...owcomputer.html
See also this article --> http://www.microsoft.com/AtWork/getstarted/speed.mspx

Here are some other tips:

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.

Click start then all programs, accessories, system tools to run Disc Cleanup.

Reboot.

Click start then all programs, accessories, system tools to run Disk Defragmenter

Download, install and run Tune Up 2007 Trial

Run Tune Up disc clean up

Run Tune Up registry clean up

Disable the anti virus program then click Optimize and Improve to run Reg Defrag, the screen will lose color during the process which can take a few minutes and then needs a reboot

Check the anti virus program is running

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial.

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot.

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor.

JkDefrag - is also nice and free program for defragmenting and optimizing, i use it personaly, see this link for more info --> http://www.kessels.com/JkDefrag/


Let me know how it goes.

Regards,
SNOWHITE
Posted Image

#13 Daleboom

Daleboom
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 November 2007 - 06:54 AM

Thanks so much for your help Snowhite,

Things seem to be working very well now.

I think the slugishness on start up must have been do to programs starting up, etc.

Take care, much appreciated.
:thumbsup:

#14 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:11:41 AM

Posted 28 November 2007 - 08:25 AM

Thanks so much for your help Snowhite,

Things seem to be working very well now.

I think the slugishness on start up must have been do to programs starting up, etc.

Take care, much appreciated.
:wacko:

Thanks for letting us know that the computer is running better :thumbsup:

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Glad we could help :blink:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users